Critical LiteLLM RCE Vulnerability Actively Exploited in the Wild
Threat actors are actively exploiting a critical unauthenticated remote code execution (RCE) vulnerability in LiteLLM, a widely used open-source AI proxy gateway, by chaining two CVEs to bypass authentication and execute arbitrary commands on vulnerable systems.
Researchers at Horizon3.ai confirmed the exploitation path on June 1, 2026, revealing that CVE-2026-42271 a command injection flaw in LiteLLM’s MCP server test endpoints can be combined with CVE-2026-48710, a Starlette "BadHost" Host Header validation bypass, to achieve unauthenticated RCE. The combined attack chain carries a CVSS score of 10.0 (Critical).
Exploitation Details
CVE-2026-42271 targets two LiteLLM MCP server endpoints:
POST /mcp-rest/test/connectionPOST /mcp-rest/test/tools/list
These endpoints allow attackers to supply malicious commands, arguments, and environment variables, which are then executed as subprocesses on the host. Initially, exploitation required a valid proxy API key, limiting its severity. However, CVE-2026-48710 affecting Starlette versions 1.0.0 and earlier enables attackers to manipulate Host header values, bypassing authentication entirely.
When both vulnerabilities are present, threat actors can gain unauthenticated RCE on vulnerable LiteLLM deployments.
Impact of Successful Exploitation
A compromised LiteLLM instance grants attackers:
- Arbitrary OS command execution on the host
- Access to model provider credentials and API keys (e.g., OpenAI, Anthropic, Azure OpenAI)
- Theft of stored secrets within the proxy
- Lateral movement into connected AI infrastructure
- Compromise of downstream systems integrated with the gateway
Given LiteLLM’s role in enterprise AI pipelines, a breach could expose an organization’s entire AI operations layer.
Affected Versions & Mitigation
- Vulnerable: LiteLLM 1.74.2–1.83.6 + Starlette 1.0.0 or earlier
- Patch: LiteLLM 1.83.7 (released May 8, 2026) introduces authorization controls and updates Starlette dependencies. Starlette should be upgraded to 1.0.1 or later.
- Interim Mitigations:
- Block external access to
/mcp-rest/test/connectionand/mcp-rest/test/tools/list - Restrict network access to trusted segments
- Rotate all stored credentials and API keys
- Monitor logs for unusual Host header values and unexpected subprocess execution
- Block external access to
Active exploitation makes this a high-priority patch for organizations running self-hosted LiteLLM instances.
Source: https://cyberpress.org/litellm-rce-vulnerability-exploited/
LiteLLM cybersecurity rating report: https://www.rankiteo.com/company/litellm
"id": "LIT1781000708",
"linkid": "litellm",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations running '
'self-hosted LiteLLM instances '
'(versions 1.74.2–1.83.6 with '
'Starlette 1.0.0 or earlier)',
'industry': 'Artificial Intelligence / Software',
'name': 'LiteLLM',
'type': 'Open-source AI proxy gateway'}],
'attack_vector': 'Unauthenticated exploitation via Host header manipulation '
'and command injection',
'data_breach': {'sensitivity_of_data': 'High (AI infrastructure credentials '
'and secrets)',
'type_of_data_compromised': ['Model provider credentials',
'API keys',
'Stored secrets']},
'date_detected': '2026-06-01',
'date_publicly_disclosed': '2026-06-01',
'description': 'Threat actors are actively exploiting a critical '
'unauthenticated remote code execution (RCE) vulnerability in '
'LiteLLM, a widely used open-source AI proxy gateway, by '
'chaining two CVEs to bypass authentication and execute '
'arbitrary commands on vulnerable systems.',
'impact': {'data_compromised': 'Model provider credentials, API keys, stored '
'secrets, and downstream AI infrastructure '
'data',
'operational_impact': 'Arbitrary OS command execution, lateral '
'movement into AI infrastructure, compromise '
'of downstream systems',
'systems_affected': 'LiteLLM proxy gateway and connected AI '
'systems'},
'investigation_status': 'Confirmed exploitation in the wild',
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'LiteLLM and Starlette',
'Credential rotation',
'Network segmentation',
'Enhanced monitoring'],
'root_causes': 'Combined exploitation of '
'CVE-2026-42271 (command injection) '
'and CVE-2026-48710 (Host header '
'bypass) in vulnerable LiteLLM and '
'Starlette versions'},
'recommendations': ['Upgrade LiteLLM to version 1.83.7 or later',
'Upgrade Starlette to version 1.0.1 or later',
'Rotate all stored credentials and API keys',
'Block external access to vulnerable endpoints',
'Restrict network access to trusted segments',
'Monitor logs for unusual Host header values and '
'subprocess execution'],
'references': [{'date_accessed': '2026-06-01', 'source': 'Horizon3.ai'}],
'response': {'containment_measures': ['Block external access to '
'`/mcp-rest/test/connection` and '
'`/mcp-rest/test/tools/list`',
'Restrict network access to trusted '
'segments'],
'enhanced_monitoring': 'Monitor logs for unusual Host header '
'values and unexpected subprocess '
'execution',
'network_segmentation': 'Restrict network access to trusted '
'segments',
'remediation_measures': ['Upgrade to LiteLLM 1.83.7',
'Upgrade Starlette to 1.0.1 or later',
'Rotate all stored credentials and API '
'keys'],
'third_party_assistance': 'Horizon3.ai (researchers)'},
'title': 'Critical LiteLLM RCE Vulnerability Actively Exploited in the Wild',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': ['CVE-2026-42271', 'CVE-2026-48710']}