{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42271","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-26T11:53:27.707Z","datePublished":"2026-05-08T03:35:16.758Z","dateUpdated":"2026-07-15T00:57:49.325Z"},"containers":{"cna":{"title":"LiteLLM: Authenticated command execution via MCP stdio test endpoints","problemTypes":[{"descriptions":[{"cweId":"CWE-77","lang":"en","description":"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.7,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g","tags":["x_refsource_CONFIRM"],"url":"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"},{"name":"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable","tags":["x_refsource_MISC"],"url":"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"}],"affected":[{"vendor":"BerriAI","product":"litellm","versions":[{"version":">= 1.74.2, < 1.83.7","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-08T03:35:16.758Z"},"descriptions":[{"lang":"en","value":"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."}],"source":{"advisory":"GHSA-v4p8-mg3p-g94g","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271","tags":["government-resource"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-08T00:00:00+00:00","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-42271"}}},{"other":{"type":"kev","content":{"dateAdded":"2026-06-08","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T03:55:26.815Z"},"timeline":[{"time":"2026-06-08T00:00:00.000Z","lang":"en","value":"CVE-2026-42271 added to CISA KEV"}]},{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-llama-stack-core-rhel9","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1781826406","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:3.3::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-llama-stack-core-rhel9","product":"Red Hat OpenShift AI 3.3","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1782310008","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:3.4::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9","product":"Red Hat OpenShift AI 3.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1781622627","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:exploit_intelligence:0"],"defaultStatus":"unaffected","packageName":"exploit-intelligence-tech-preview/vulnerability-analysis-rhel9","product":"Exploit Intelligence","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","packageName":"ansible-automation-platform-26/lightspeed-chatbot-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","packageName":"ansible-automation-platform-27/lightspeed-chatbot-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-mlflow-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-05-08T03:35:16.758Z","descriptions":[{"lang":"en","value":"A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42271"},{"name":"RHBZ#2467924","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467924"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42271.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28960"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30056"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:27784"}],"solutions":[{"lang":"en","value":"RHSA-2026:28960: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:30056: Red Hat OpenShift AI 3.3"},{"lang":"en","value":"RHSA-2026:27784: Red Hat OpenShift AI 3.4"}],"timeline":[{"lang":"en","time":"2026-05-08T04:02:12.169Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-08T03:35:16.758Z","value":"Made public."}],"title":"litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-15T00:57:49.325Z"}}]}}