LiteLLM CVE-2026-42271: command injection via MCP endpoints, actively exploited
> TL;DR: LiteLLM 1.74.2 through 1.83.6 lets any authenticated proxy user execute arbitrary commands on the server via two MCP test endpoints. CVSS 8.8, active exploitation confirmed by CISA on June 8, 2026. Fix: 1.83.7.
Why this concerns you
LiteLLM has become the standard plumbing for AI features in SaaS products: a single proxy that routes your calls to OpenAI, Anthropic, Mistral or self-hosted models, with key, quota and cost management. If your product added an AI assistant, a chat feature or LLM-based CV parsing in the last two years, there's a real chance a LiteLLM proxy is running somewhere in your infrastructure — sometimes installed by a contractor, sometimes inherited from a template.
It's exactly this kind of "invisible" building block that makes the best targets.
The flaw in two sentences
LiteLLM exposes endpoints to preview an MCP server before saving it: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints accepted a full server configuration in the request body — including the command, args and env fields used by the stdio transport.
In other words: you send a request with "command": "bash" and the arguments of your choice, and the proxy executes your command with its own privileges. No exotic deserialization, no complex exploit chain — the endpoint does exactly what it's told.
"Authenticated", so not a big deal?
Exploitation requires a proxy API key. Many teams stop at that word and file the flaw as minor. That's a misreading:
.env files, Git histories and CI configurations;CISA added this CVE to its KEV catalog on June 8, 2026: it is being exploited in the wild, not in theory.
What to do, in order
/mcp-rest/test/* endpoints in your logs.The lesson beyond LiteLLM
MCP surfaces are multiplying in AI products, and they arrive with a dangerous pattern: endpoints that accept *executable configurations* (command, arguments, environment) rather than data. Every time a request field ends up in a spawn(), you have an RCE candidate.
If your SaaS wired up AI features quickly — assistant, RAG, document parsing — auditing that surface has become as urgent as auditing your classic APIs. Our First Review covers exposed AI and MCP endpoints: verdict in 48h.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
CVE-2026-32541: Next.js middleware bypass — analysis and fix
A critical vulnerability in Next.js middleware allowed authentication bypass. Technical analysis of the flaw and fix guide for HR SaaS vendors.
Vibe Coding Security: Real CVEs Caused by Cursor, Lovable, Bolt, and Copilot in 2026
AI-generated code contains systematic vulnerabilities. Analysis of real CVEs from vibe coding tools in 2026.
PeopleSoft CVE-2026-35273: unauthenticated takeover of an HR software giant
CVSS 9.8: a critical function in PeopleSoft PeopleTools 8.61 and 8.62 is reachable without authentication, up to full takeover. Actively exploited. What this flaw tells every HR and payroll software vendor.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.