CISA KEV: CVE-2026-42271 in LiteLLM — authenticated command injection via MCP test endpoints, chains to unauthenticated RCE (CVSS 10.0)

CISA added CVE-2026-42271 in BerriAI LiteLLM to its KEV catalog June 8, 2026. MCP test endpoints allow authenticated command injection, chains to unauthenticated RCE via Starlette BadHost bypass.

BerriAI LiteLLMTool execution / MCPCommand injection / Remote code execution via AI gatewayLiteLLM proxy host, model provider credentials (OpenAI/Anthropic/etc. API keys), connected AI infrastructure

What happened

Attacker POSTs a crafted server config (command: reverse-shell, args, env) to /mcp-rest/test/connection; LiteLLM spawns the command as a subprocess with proxy-process privileges. When chained with Starlette Host header bypass, no credentials required.

Why it matters

Full host shell access; exfiltration of all model provider API keys stored in the proxy; lateral movement into every AI system behind the LiteLLM gateway; downstream credential compromise of connected OpenAI, Anthropic, and other LLM provider accounts.

Missing authorization check

Spawning an OS subprocess via an MCP endpoint configuration should have required explicit PROXY_ADMIN authorization. Any operation that crosses the code-execution boundary on the host must be gated beyond a basic API key check.

Would PP block it?

PP's Tool-Call Gate would enforce authority receipts for agent-initiated actions routed through LiteLLM (model calls, tool dispatches). An agent attempting to use the /mcp-rest/test endpoints as a side channel to execute host commands would require a receipt scoped to 'host subprocess execution' — which no legitimate workflow would grant. However, a direct attacker exploiting the unauthenticated RCE chain bypasses the agent layer entirely and hits the OS before PP's enforcement point. PP stops the agent; it cannot stop the attacker hitting infrastructure directly.

Incident analysis

Timeline and technical read

Timeline

2026-05-26
CVE-2026-48710 (Starlette BadHost) disclosed — the authentication bypass component
2026-06-08
CISA adds CVE-2026-42271 to KEV catalog; due date June 22, 2026
2026-06-08
Horizon3.ai publishes exploit chain — CVE-2026-42271 + CVE-2026-48710 yields unauthenticated RCE, combined CVSS 10.0
2026-06-09
The Hacker News reports active exploitation; LiteLLM 1.83.7 patch (PROXY_ADMIN role required) already available
2026-06-10
Widespread media coverage; automated scanning tools targeting exposed LiteLLM deployments confirmed

Technical breakdown

Affected endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list accepted a full MCP server config including command, args, and env fields for stdio transport — effectively an arbitrary subprocess launcher
Authentication bypass: CVE-2026-48710 (Starlette ≤1.0.0 BadHost header bypass) strips authentication entirely, transforming an authenticated-user exploit into zero-credential RCE
Privilege inheritance: spawned subprocess runs with full privileges of the LiteLLM proxy process — in containerized deployments often running as root or with broad IAM permissions
Credential exposure: LiteLLM stores model provider API keys in memory/config; shell access on the proxy host yields all keys for OpenAI, Anthropic, Azure, etc. gated behind the proxy
Patch: LiteLLM 1.83.7 now requires PROXY_ADMIN role for the test endpoints; Starlette 1.0.1 patches the host header bypass

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: PP enforcement sits above the LiteLLM proxy — agent actions are gate-checked before being routed to the gateway. The vulnerable endpoints are below this boundary.
Still needs: Infrastructure-layer hardening of the AI gateway itself. PP does not govern LiteLLM deployment configuration, authentication posture, or patch cadence. Deployment hygiene is out of scope.
Receipt required for: Any agent action that spawns OS-level subprocesses, configures MCP server transports, or reads/writes LiteLLM proxy credentials must carry a receipt naming the specific operation and target host.

PP operates above the gateway layer — agent-level consequential actions still require PP-signed authority receipts regardless of LiteLLM compromise. However, PP cannot prevent an attacker from exploiting the LiteLLM host directly; this is an infrastructure-layer exploit below the PP enforcement boundary.

Lessons for teams

MCP test/debug endpoints are high-value attack surface — any endpoint that accepts transport configuration with command/args fields is an OS command injection vector by design
Authentication tiers must match operation risk: API-key auth is insufficient for subprocess-spawning operations; RBAC is required
AI gateway components (LiteLLM, proxy layers) sit at a trust boundary where all model provider credentials converge — they require the same hardening as production databases
Dependency chain risk: Starlette BadHost chaining demonstrates that a medium-severity dep vulnerability can flip an authenticated exploit to unauthenticated; keep all framework deps patched
CISA KEV listing means federal agencies must patch within 3 weeks — organizations running LiteLLM should treat this on the same timeline regardless of sector

Related incidents and controls

Critical2026-05-26

BadHost CVE-2026-48710: Single character in HTTP Host header bypasses auth on millions of AI agent MCP servers

Tool-Call Gate Credential Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop