thehackernews.com web signal

LiteLLM Flaw Chains to CVSS 10 Unauthenticated RCE

5 sources tracking this story
cybersecurity agents ai-security cve litellm supply-chain

Key insights

  • CVE-2026-42271 alone requires a low-privilege API key; the unauthenticated RCE path only opens when chained with CVE-2026-48710 in Starlette ≤1.0.0.
  • The exploit targets two MCP server test endpoints that accept stdio transport command fields — architecture built for developer convenience, not production hardening.
  • Attackers who achieve RCE gain access to all model provider API keys and secrets cached by the proxy, enabling lateral movement into connected AI systems.

Why this matters

LiteLLM's active exploitation and CISA KEV listing confirm that AI gateway infrastructure is now a prioritized target for real-world attack campaigns. Horizon3.ai's chain discovery shows CVE-2026-48710, a Starlette dependency flaw, strips away the only authentication barrier protecting CVE-2026-42271, pushing an already-critical standalone bug to CVSS 10.0. CISA's BOD 22-01 imposes a mandatory federal remediation deadline, but the agency explicitly recommends all organizations treat this with the same urgency. SentinelOne's timeline places original discovery on May 8, 2026, meaning a five-week window elapsed between discovery and documented active exploitation.

Summary

CISA added CVE-2026-42271 in BerriAI's LiteLLM to its Known Exploited Vulnerabilities catalog on Monday, citing evidence of active exploitation. The flaw targets two MCP REST endpoints; when called with a stdio configuration, they spawn any supplied command as a subprocess on the proxy host, with no protection beyond a valid proxy API key. Horizon3.ai found that chaining it with CVE-2026-48710, a Starlette host header bypass, removes that authentication requirement entirely, yielding a combined CVSS of 10.0. Essentially: (BerriAI, Starlette) two bugs that chain into unauthenticated remote code execution. - LiteLLM versions 1.74.2 to 1.83.6 are affected; fix is version 1.83.7. - Starlette 1.0.0 and below enables the bypass; upgrade to 1.0.1. - Post-patch, the vulnerable test endpoints now require the PROXY_ADMIN role. LiteLLM functions as an AI model proxy, so compromised instances expose stored credentials and direct access to production model endpoints.

Potential risks and opportunities

Risks

  • Organizations running LiteLLM 1.74.2 to 1.83.6 with network-accessible proxy endpoints face unauthenticated full server compromise if Starlette is also unpatched, with all stored API credentials directly at risk.
  • BerriAI faces reputational damage and potential enterprise contract reviews if active exploitation is traced to data breaches at customer organizations before patch deployment completes.
  • Federal agencies using LiteLLM as an AI model proxy face CISA KEV mandatory remediation deadlines, with potential operational disruption if the proxy must be taken offline to patch or audit.

Opportunities

  • Horizon3.ai's public chain-discovery research positions them for inbound consulting interest from organizations auditing LiteLLM deployments and AI proxy infrastructure across their stack.
  • AI gateway and proxy vendors offering default RBAC enforcement on admin endpoints gain evaluation cycles from security teams reassessing their LiteLLM posture following the KEV listing.
  • Credential rotation and AI infrastructure security audit services see near-term demand from any organization that ran LiteLLM in an internet-accessible configuration between versions 1.74.2 and 1.83.6.

What we don't know yet

  • Scope of active exploitation: CISA confirmed exploitation but no victim organizations, attack scale, or threat actor attribution has been disclosed in public reporting.
  • Whether organizations that ran LiteLLM 1.74.2 to 1.83.6 with exposed endpoints have rotated their stored proxy credentials following discovery.
  • Timeline between Horizon3.ai's chain-vulnerability discovery and CISA's Monday KEV addition, and whether coordinated disclosure preceded confirmed exploitation in the wild.

What others are reporting

Coverage cluster as of 2h after publish

  1. CISA Read →

    First-party KEV addition notice; invokes BOD 22-01 mandatory remediation deadline for FCEB agencies and explicitly extends the patching recommendation to all organizations.

    These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.
  2. Horizon3.ai Read →

    Original discoverers; identifies Starlette ≤1.0.0 as the precise dependency condition enabling the chain and released a NodeZero Rapid Response test for safe validation.

    The result is unauthenticated remote code execution against vulnerable LiteLLM deployments, allowing attackers to execute commands as the LiteLLM proxy process.
  3. SentinelOne Read →

    Provides concrete IOCs (suspicious child processes, outbound proxy subprocess connections), a step-by-step remediation playbook, and dates original discovery to May 8, 2026.

    Authenticated attackers with low-privilege API keys can execute arbitrary commands on the LiteLLM proxy host, enabling full host compromise.
  4. runZero Read →

    Shifts focus to exposure surface management; provides a specific runZero query to fingerprint LiteLLM proxy instances by HTTP title across enterprise networks.

    A remote, low-privileged attacker can exploit this by providing a crafted server configuration in the request body.

Originally reported by thehackernews.com

Read the original article →

Original headline: LiteLLM CVE-2026-42271 Added to CISA KEV — Command Injection Exploited in Wild, CVSS 10.0 Chain Achieves Unauthenticated RCE