CVE-2026-42271: LiteLLM: Authenticated command execution via MCP stdio test endpoints
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Security readout for executives and security teams
Plain-English summary
LiteLLM versions 1.74.2 through before 1.83.7 let any authenticated proxy API key holder run commands on the server through MCP preview test endpoints. A low-privilege internal key could become full host compromise. CISA KEV indicates known exploitation, so this should be treated as urgent where LiteLLM is deployed.
Executive priority
Prioritize immediate remediation for any internet-facing or broadly accessible LiteLLM proxy. KEV status and host command execution make this a business-impact risk, especially where LiteLLM can reach secrets, model credentials, internal systems, or production data.
Technical view
The MCP REST test endpoints accepted attacker-supplied stdio server configuration, including command, args, and env. When testing the connection or tool list, LiteLLM spawned the supplied command as a subprocess under the proxy process privileges. The flaw required a valid proxy API key but no elevated role. Patch: version 1.83.7.
Likely exposure
Organizations running LiteLLM proxy versions >=1.74.2 and <1.83.7 are exposed if users or services can call /mcp-rest/test/connection or /mcp-rest/test/tools/list with a valid proxy API key.
Exploitation context
CISA KEV listing supports known exploitation. The sources do not provide exploit volume, targeting details, public proof-of-concept status, or indicators of compromise. Exploitation is authenticated, but the advisory states low-privilege internal-user keys were sufficient.
Researcher notes
Key research focus is authorization failure around MCP stdio preview behavior. Confirm version range, endpoint reachability, authentication paths, and process execution telemetry. Do not assume unauthenticated exposure; the cited advisory describes authenticated exploitation with any valid proxy API key.
Mitigation direction
Upgrade LiteLLM to version 1.83.7 or later.
Restrict access to LiteLLM proxy endpoints to trusted networks and users.
Rotate or revoke unnecessary LiteLLM proxy API keys.
Review vendor and Red Hat advisories for environment-specific remediation.
Monitor for unexpected child processes from the LiteLLM proxy process.
Validation and detection
Inventory LiteLLM deployments and confirm installed versions.
Identify whether affected MCP REST test endpoints are reachable.
Review proxy API key issuance, ownership, and privilege levels.
Check application, audit, and EDR logs for calls to affected endpoints.
Look for unexpected subprocesses spawned by LiteLLM during the exposure window.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-77: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.