Overview
- CISA on Monday added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog and said it has evidence the LiteLLM flaw is being abused in the wild.
- The bug is a command-injection flaw in the LiteLLM AI gateway that let authenticated users supply commands to two MCP test endpoints, causing the host to execute those commands; the issue affects versions >=1.74.2 and <1.83.7 and was fixed in 1.83.7.
- Researchers at Horizon3.ai showed the LiteLLM flaw can be chained with a Starlette host-header validation bypass (affecting Starlette ≤1.0.0) to remove authentication and produce unauthenticated remote code execution; Starlette released patch 1.0.1.
- Vendors and advisers say organizations should upgrade LiteLLM to 1.83.7 and Starlette to 1.0.1, block the POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints at gateways if they cannot patch, rotate credentials held by the proxy, restrict access, and monitor logs for suspicious host-header and subprocess activity.
- Public details remain limited on who is exploiting the bug or how widespread compromises are, but the KEV listing and a recent fast weaponization of another LiteLLM flaw underline the acute risk to AI proxies that store model and API credentials.