BerriAI LiteLLM MCP Stdio Command Injection (CVE-2026-42271)

Severity Assessment

• Exploitability: 8/10 — The vulnerable endpoints are reachable over the network with low attack complexity, but exploitation requires a valid LiteLLM proxy API key.
• Impact: 9/10 — Successful exploitation runs arbitrary commands on the LiteLLM proxy host with the privileges of the proxy process, exposing local secrets, credentials, and downstream service access.
• Weaponization Risk: 8/10 — CISA KEV status indicates exploitation in the wild, and LiteLLM often centralizes access to multiple upstream model providers and internal services.
• Patch Urgency: 9/10 — CISA added the vulnerability to KEV on 2026-06-08 with a 2026-06-22 remediation deadline; BerriAI fixed the issue in version 1.83.7.
• Detection Coverage: 5/10 — Network and proxy logs can surface calls to the affected MCP endpoints, but host-level command execution depends on process, shell, and container telemetry.

Summary

CVE-2026-42271 is an authenticated command injection vulnerability in BerriAI LiteLLM, an AI gateway and proxy server. The flaw affects LiteLLM versions 1.74.2 through versions before 1.83.7. BerriAI’s advisory says two MCP preview endpoints accepted a full stdio server configuration, including command, args, and env fields. When the endpoints attempted to connect, LiteLLM spawned the supplied command as a subprocess on the proxy host.

The affected endpoints are POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. The advisory states that these endpoints were gated only by a valid proxy API key and did not enforce a role check. As a result, any authenticated user, including holders of low-privilege internal-user keys, could run arbitrary commands on the host.

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on 2026-06-08. NVD scores the vulnerability as CVSS 3.1 8.8 high and maps it to CWE-78 and CWE-77. The MCP stdio command injection flaw is distinct from the earlier LiteLLM SQL injection tracked as CVE-2026-42208 and from the separate LiteLLM supply-chain compromise.

Exploit Chain

Stage 1: Obtain or abuse a valid LiteLLM proxy API key

The attacker needs an authenticated path to the LiteLLM proxy. Public sources do not identify a specific credential-theft mechanism for observed exploitation of this CVE. Valid keys may come from a compromised user, over-permissive internal-user key, leaked secret, or another intrusion path.

Stage 2: Submit a malicious MCP stdio preview configuration

The attacker calls POST /mcp-rest/test/connection or POST /mcp-rest/test/tools/list with a crafted server configuration using the stdio transport. The request body supplies command-related fields that LiteLLM uses while previewing the MCP server before saving it.

Stage 3: Execute commands on the proxy host

In vulnerable versions, LiteLLM attempts to connect to the supplied stdio server and spawns the attacker-controlled command as a subprocess. The command executes with the privileges of the LiteLLM proxy process. This can expose environment variables, API keys, local files, cloud credentials, and network reachability available to that process.

Detection Guidance

1. Search LiteLLM proxy logs for calls to POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, especially from low-privilege users or unexpected clients.
2. Review request metadata for stdio MCP configurations containing unusual command, args, or env fields.
3. Correlate affected endpoint calls with host process telemetry showing child processes spawned by the LiteLLM proxy service.
4. Monitor for shell, Python, curl, wget, nc, bash, sh, PowerShell, or package-manager execution from the LiteLLM runtime environment.
5. Rotate LiteLLM proxy API keys and upstream provider keys if exploitation is suspected.
6. Upgrade to LiteLLM 1.83.7 or later. If immediate upgrade is not possible, block the affected POST endpoints at the reverse proxy or API gateway as described by BerriAI.

Indicators of Compromise

No stable exploit infrastructure or file hashes have been published in the available source documents. The following behavioral indicators are derived from the vulnerable workflow and should be treated as investigation leads:

• Authenticated requests to POST /mcp-rest/test/connection using stdio MCP configuration from users that should not administer MCP server settings.
• Authenticated requests to POST /mcp-rest/test/tools/list using stdio MCP configuration from low-privilege internal-user keys.
• LiteLLM proxy child processes that invoke command interpreters or network utilities.
• Unexpected reads of environment variables or local configuration files shortly after MCP test endpoint activity.
• Upstream LLM provider API usage from locations or systems outside the expected LiteLLM proxy egress path.

Disclosure Timeline

• 2026-04-19: Patched release published BerriAI published LiteLLM v1.83.7-stable, which includes the fix for arbitrary command execution through MCP stdio transport test endpoints.
• 2026-04-21: GitHub Security Advisory published BerriAI published GHSA-v4p8-mg3p-g94g describing authenticated command execution via MCP stdio test endpoints.
• 2026-05-08: NVD publication NVD published CVE-2026-42271 with CVSS 3.1 score 8.8 high and affected versions from 1.74.2 to before 1.83.7.
• 2026-06-08: CISA KEV addition CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog.
• 2026-06-22: CISA remediation deadline CISA lists 2026-06-22 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-08
• National Vulnerability Database: CVE-2026-42271 — National Vulnerability Database, 2026-05-08
• BerriAI LiteLLM Security: GHSA-v4p8-mg3p-g94g — BerriAI LiteLLM Security, 2026-04-21
• BerriAI LiteLLM: v1.83.7-stable release — BerriAI LiteLLM, 2026-04-19