← All articles

LiteLLM AI gateway flaw exploited for unauthenticated remote code execution

Attackers are actively exploiting a flaw in LiteLLM, a widely used open-source gateway that routes requests to AI models, and CISA has added it to its known-exploited-vulnerabilities list. The bug (CVE-2026-42271) lets any authenticated user run commands on the host through test endpoints that spawn whatever command is supplied in the request. Chained with a separate Host-header bypass in the Starlette web framework (CVE-2026-48710), it becomes unauthenticated remote code execution, giving full control of the server, credential theft, and a foothold in connected AI infrastructure. Horizon3.ai has published a proof-of-concept. It follows a LiteLLM SQL injection flaw exploited within 36 hours last month.

Check
Identify internet-facing LiteLLM proxy deployments and their version, check the Starlette version in use, and review logs of the /mcp-rest/test endpoints for unexpected command execution.
Affected
LiteLLM AI gateway and Python SDK (BerriAI) deployments exposing the vulnerable test endpoints (CVE-2026-42271), especially when paired with Starlette versions vulnerable to the Host-header bypass (CVE-2026-48710).
Fix
Upgrade LiteLLM and Starlette to the fixed releases immediately, restrict the affected endpoints to trusted networks, and rotate any credentials or API keys reachable from the LiteLLM host.