Critical Command Injection Flaw in LiteLLM AI Gateway Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42271, a command injection vulnerability in BerryAI’s LiteLLM open-source AI gateway, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The flaw, disclosed in April 2026, affects organizations using LiteLLM a widely adopted library that standardizes interactions with multiple large language model (LLM) APIs under a single OpenAI-compatible interface.
Vulnerability Details
LiteLLM is used by developers and enterprises to manage API keys, route AI traffic, and avoid vendor lock-in, either as a Python SDK or a standalone proxy server. The vulnerability stems from improper input sanitization in two endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list which allowed authenticated users (including those with low-privilege API keys) to execute arbitrary commands on the host system. Exploitation required only a valid proxy API key, with no role-based access controls in place.
Exploitation Risks & Attack Chain
Initially, attackers needed a valid API key to exploit CVE-2026-42271, but researchers at Horizon3.ai discovered that the requirement could be bypassed by chaining it with CVE-2026-48710 ("BadHost"), an authentication bypass flaw in Starlette, the Python web framework underpinning LiteLLM. Successful exploitation enables:
- Arbitrary command execution on the LiteLLM host
- Theft of model provider credentials and API keys
- Lateral movement into connected AI infrastructure
- Compromise of downstream systems
CVE-2026-48710 was patched in Starlette v1.0.1, while CVE-2026-42271 was addressed in LiteLLM v1.83.7, which introduced role-based restrictions (limiting test endpoint access to PROXY_ADMIN users) and updated Starlette dependencies.
Mitigation & Federal Response
Organizations using LiteLLM are urged to upgrade to v1.83.7 or, if immediate patching is not feasible, block access to the vulnerable MCP test endpoints and restrict network access to trusted segments. Credentials stored by the proxy should also be rotated. CISA has mandated U.S. federal civilian agencies to remediate the flaw by June 22, 2026.
Broader Context
This marks the second time in a month that LiteLLM has been targeted by attackers. In March 2026, threat group TeamPCP compromised BerryAI’s supply chain, publishing malicious LiteLLM versions on the Python Package Index (PyPI). No details have been released about the current exploitation campaigns or whether CVE-2026-48710 is being actively leveraged alongside the command injection flaw.
Berry AI cybersecurity rating report: https://www.rankiteo.com/company/berry-ai
"id": "BER1781007894",
"linkid": "berry-ai",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using LiteLLM '
'(developers, enterprises)',
'industry': 'Artificial Intelligence / Software '
'Development',
'name': 'BerryAI',
'type': 'Company'}],
'attack_vector': 'Authenticated API request (low-privilege API key) / '
'Authentication Bypass (CVE-2026-48710)',
'data_breach': {'sensitivity_of_data': 'High (AI infrastructure access)',
'type_of_data_compromised': 'Model provider credentials, API '
'keys'},
'date_detected': '2026-04',
'date_publicly_disclosed': '2026-04',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has added CVE-2026-42271, a command injection '
'vulnerability in BerryAI’s LiteLLM open-source AI gateway, to '
'its Known Exploited Vulnerabilities (KEV) catalog after '
'confirming active exploitation. The flaw affects '
'organizations using LiteLLM, a widely adopted library that '
'standardizes interactions with multiple large language model '
'(LLM) APIs under a single OpenAI-compatible interface. '
'Exploitation enables arbitrary command execution, theft of '
'model provider credentials, lateral movement, and compromise '
'of downstream systems.',
'impact': {'data_compromised': 'Model provider credentials and API keys',
'operational_impact': 'Lateral movement, arbitrary command '
'execution, potential compromise of AI '
'services',
'systems_affected': 'LiteLLM host system, connected AI '
'infrastructure, downstream systems'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': ['Introduced role-based '
'restrictions (PROXY_ADMIN '
'access only)',
'Updated Starlette '
'dependencies',
'Patched CVE-2026-42271 and '
'CVE-2026-48710'],
'root_causes': ['Improper input sanitization in '
'MCP test endpoints',
'Authentication bypass in '
'Starlette (CVE-2026-48710)',
'Lack of role-based access '
'controls']},
'recommendations': ['Upgrade to LiteLLM v1.83.7',
'Block access to vulnerable MCP test endpoints',
'Restrict network access to trusted segments',
'Rotate credentials stored by the proxy'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog'},
{'source': 'Horizon3.ai Research'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
'addition (mandatory '
'remediation for U.S. '
'federal civilian '
'agencies by June 22, '
'2026)'},
'response': {'containment_measures': ['Block access to vulnerable MCP test '
'endpoints',
'Restrict network access to trusted '
'segments'],
'network_segmentation': 'Restrict network access to trusted '
'segments',
'remediation_measures': ['Upgrade to LiteLLM v1.83.7',
'Rotate credentials stored by the '
'proxy'],
'third_party_assistance': 'Horizon3.ai (researchers)'},
'stakeholder_advisories': 'CISA mandate for U.S. federal civilian agencies to '
'remediate by June 22, 2026',
'title': 'Critical Command Injection Flaw in LiteLLM AI Gateway Under Active '
'Exploitation',
'type': 'Command Injection',
'vulnerability_exploited': ['CVE-2026-42271', 'CVE-2026-48710']}