Summary
A command-injection flaw in the widely used LiteLLM AI gateway (CVE-2026-42271) lets its MCP test endpoints run arbitrary commands, and Horizon3.ai showed it chains with a Starlette host-header bypass (CVE-2026-48710) into unauthenticated remote code execution at a combined CVSS 10.0. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 8, 2026 after confirming active in-the-wild exploitation; the fix shipped in LiteLLM 1.83.7.
What changed
Horizon3.ai disclosed that LiteLLM's POST /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints accept attacker-controlled command, args, and env for the stdio transport, enabling command injection (CVE-2026-42271), and that chaining a Starlette BadHost header bypass (CVE-2026-48710) removes the auth requirement for full unauthenticated RCE. CISA listed it as exploited; affected versions 1.74.2 through 1.83.6 are fixed in 1.83.7.
Why it matters
LiteLLM proxies many teams' model traffic and stores provider API keys, so an unauthenticated RCE lets attackers steal cross-provider credentials and pivot into connected AI infrastructure, making the AI gateway a high-value new attack surface that security teams must patch and lock down.
Evidence excerpt
Chained with a Starlette host header bypass (CVE-2026-48710), CVE-2026-42271 becomes unauthenticated RCE with a combined CVSS of 10.0; CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 8, 2026 after confirming active in-the-wild exploitation.