thehackernews.com web signal

LiteLLM Flaw Chains to CVSS 10 Unauthenticated RCE

7 sources tracking this story
cybersecurity agents ai-security cve litellm supply-chain

Key insights

  • Horizon3.ai's June 1 chain validation came 24 days after SentinelOne's May 8 documentation, leaving a window where organizations treated an 8.8-severity bug as manageable.
  • The Starlette BadHost flaw (CVE-2026-48710) removes the authentication prerequisite for any Starlette-based application, not only LiteLLM.
  • Affected versions run from 1.74.2 to 1.83.6; the patch in 1.83.7 enforces the PROXY_ADMIN role on both vulnerable MCP test endpoints and updates the Starlette dependency.

Why this matters

Horizon3.ai's June 1 confirmation that CVE-2026-42271 chains with Starlette's BadHost flaw (CVE-2026-48710) converted a credentialed CVSS 8.8 finding into a CVSS 10.0 unauthenticated RCE, compressing the window between SentinelOne's May 8 initial documentation and active exploitation to 24 days. CISA's June 8 KEV listing triggers a June 22 BOD 22-01 deadline for all federal agencies, covering LiteLLM versions 1.74.2 through 1.83.6. CybelAngel identifies a credential multiplier effect: one compromised LiteLLM proxy exposes API keys for every connected model provider simultaneously, making it a single-point extractor for lateral movement and ransomware staging. The Starlette dependency shared with vLLM, FastAPI agent frameworks, and MCP servers means the BadHost authentication bypass surface extends across the broader AI toolchain.

Summary

CISA added CVE-2026-42271 in BerriAI's LiteLLM to its Known Exploited Vulnerabilities catalog on Monday, citing evidence of active exploitation. The flaw targets two MCP REST endpoints; when called with a stdio configuration, they spawn any supplied command as a subprocess on the proxy host, with no protection beyond a valid proxy API key. Horizon3.ai found that chaining it with CVE-2026-48710, a Starlette host header bypass, removes that authentication requirement entirely, yielding a combined CVSS of 10.0. Essentially: (BerriAI, Starlette) two bugs that chain into unauthenticated remote code execution. - LiteLLM versions 1.74.2 to 1.83.6 are affected; fix is version 1.83.7. - Starlette 1.0.0 and below enables the bypass; upgrade to 1.0.1. - Post-patch, the vulnerable test endpoints now require the PROXY_ADMIN role. LiteLLM functions as an AI model proxy, so compromised instances expose stored credentials and direct access to production model endpoints.

Potential risks and opportunities

Risks

  • Organizations running LiteLLM 1.74.2 to 1.83.6 with network-accessible proxy endpoints face unauthenticated full server compromise if Starlette is also unpatched, with all stored API credentials directly at risk.
  • BerriAI faces reputational damage and potential enterprise contract reviews if active exploitation is traced to data breaches at customer organizations before patch deployment completes.
  • Federal agencies using LiteLLM as an AI model proxy face CISA KEV mandatory remediation deadlines, with potential operational disruption if the proxy must be taken offline to patch or audit.

Opportunities

  • Horizon3.ai's public chain-discovery research positions them for inbound consulting interest from organizations auditing LiteLLM deployments and AI proxy infrastructure across their stack.
  • AI gateway and proxy vendors offering default RBAC enforcement on admin endpoints gain evaluation cycles from security teams reassessing their LiteLLM posture following the KEV listing.
  • Credential rotation and AI infrastructure security audit services see near-term demand from any organization that ran LiteLLM in an internet-accessible configuration between versions 1.74.2 and 1.83.6.

What we don't know yet

  • Scope of active exploitation: CISA confirmed exploitation but no victim organizations, attack scale, or threat actor attribution has been disclosed in public reporting.
  • Whether organizations that ran LiteLLM 1.74.2 to 1.83.6 with exposed endpoints have rotated their stored proxy credentials following discovery.
  • Timeline between Horizon3.ai's chain-vulnerability discovery and CISA's Monday KEV addition, and whether coordinated disclosure preceded confirmed exploitation in the wild.

What others are reporting

Coverage cluster as of 24h after publish

  1. Horizon3.ai Read →

    Original researcher documenting the chain mechanics, exploitation timeline, and NodeZero Rapid Response test methodology confirming the full bypass path.

    When chained with CVE-2026-48710, the authentication requirement can be bypassed entirely, resulting in unauthenticated RCE.
  2. SentinelOne Read →

    Initial discoverer providing precise affected version range (1.74.2 to 1.83.6), names both vulnerable MCP endpoints, and adds process-monitoring detection strategies.

    Authenticated attackers with low-privilege API keys can execute arbitrary commands on the LiteLLM proxy host.
  3. Help Net Security Read →

    Frames the BadHost chain that removes the API key requirement entirely and anchors remediation to CISA's June 22 federal agency deadline under BOD 22-01.

    Any authenticated user — including holders of low-privilege internal-user keys — could run arbitrary commands.
  4. CybelAngel Read →

    Enterprise risk framing connecting single-instance compromise to ransomware-as-a-service credential aggregation across all connected model providers simultaneously.

    A single compromised LiteLLM instance can expose API keys for every model provider it connects to simultaneously.
  5. Rescana Read →

    Adds reverse proxy endpoint blocking and credential rotation as concrete mitigations, with monitoring indicators for detecting Host header bypass attempts.

    Exploitation grants attackers the ability to execute arbitrary commands, exfiltrate sensitive data, and pivot to other systems.
  6. Cyber Press Read →

    Independent confirmation of active exploitation and AI infrastructure lateral movement, published June 9 concurrent with the CISA KEV addition.

    Threat actors are actively exploiting a critical unauthenticated remote code execution (RCE) vulnerability in LiteLLM.

Originally reported by thehackernews.com

Read the original article →

Original headline: LiteLLM CVE-2026-42271 Added to CISA KEV — Command Injection Exploited in Wild, CVSS 10.0 Chain Achieves Unauthenticated RCE