"Two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport," BerriAI said.
How CVE-2026-42271 gives authenticated users command execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-42271 and assigned a CVSS score of 8.7, is a command injection bug in the LiteLLM Python package affecting versions >= 1.74.2 and < 1.83.7.
According to BerriAI’s description, two preview endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a complete server configuration in the request body, including the command, args, and env fields used by the stdio transport. When those endpoints were supplied with a stdio configuration, they attempted to connect and spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were protected only by a valid proxy API key, meaning any authenticated user — including keys with privileged internal access — could execute arbitrary commands on a susceptible host.
How Horizon3.ai said the chain turns it into unauthenticated RCE
Last week, Horizon3.ai reported chaining CVE-2026-42271 with CVE-2026-48710, a "BadHost" host header validation bypass in the Starlette ASGI framework. Horizon3.ai wrote that "CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0." In Horizon3.ai’s assessment, this "transforms the vulnerability into unauthenticated remote code execution with no credentials required."
Horizon3.ai warned that a successful weaponization of the exploit chain could allow attackers to run arbitrary commands on the LiteLLM host, access model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and compromise downstream systems integrated with the gateway. The chained vulnerability was given a combined CVSS score of 10.0 by Horizon3.ai.
Patches, CISA action, and short-term mitigations
BerriAI released patches in LiteLLM version 1.83.7. As part of those fixes, both preview test endpoints now require the PROXY_ADMIN role, aligning them with the privileges required by the save endpoint. Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later.
For organizations that cannot immediately patch, the published mitigations are concrete and narrow: block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the reverse proxy or API gateway; restrict network access to trusted segments; rotate credentials stored by the proxy; and review logs for unusual Host header activity and subprocess execution events. CISA’s inclusion of the flaw in its KEV catalog signals that federal authorities see active exploitation risk and expect defenders to prioritize fixes.
What this means for technologists and procurement leaders
- Technologists and security teams: The exploit path combines an application-level command injection with a web-framework host-header bypass, so defenders must validate both the application runtime and its dependency tree. The immediate steps are to apply LiteLLM 1.83.7 and Starlette 1.0.1, implement the reverse-proxy blocks for the two POST endpoints if patching is delayed, rotate proxy-stored credentials, and review logs for host header anomalies and subprocess launches.
- Procurement and enterprise leaders: The incident underscores that a vulnerable dependency (Starlette) in an otherwise separate package (LiteLLM) can escalate impact from authenticated to unauthenticated compromise. Procurement teams should demand clear version and dependency management from vendors and ensure contracts or SLAs require timely security updates and disclosure of exploited CVEs like CVE-2026-42271 and CVE-2026-48710.
Conclusion: rapid patching and a crowded alert board
Within weeks of another critical LiteLLM flaw (CVE-2026-42208, a SQL injection with CVSS 9.3 that was observed being exploited within 36 hours of disclosure), defenders now face a second actively notable vulnerability in the same project. The combination of CISA’s KEV listing, BerriAI’s explanation of how preview endpoints executed attacker-supplied commands, and Horizon3.ai’s chaining to a Starlette bypass leaves a narrow but urgent defensive path: update LiteLLM and Starlette without delay, apply the recommended reverse-proxy blocks if patching is not immediately possible, rotate credentials, and review logs. Whether the in-the-wild activity uses the chain or only the authenticated injection remains unspecified; the technical facts reported so far make prompt mitigation the practical course.
