The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog on June 8, 2026, confirming that the flaw is being actively exploited in the wild. The vulnerability, a command injection vulnerability within LiteLLM's Model Context Protocol (MCP) preview endpoints, allows any user with a valid API key to execute arbitrary commands on the proxy host. When chained with CVE-2026-48710—an authentication bypass in the Starlette dependency—the exploit matures into full unauthenticated remote code execution (RCE), earning a Critical CVSS score of 10.0.
- CISA added CVE-2026-42271 to the KEV catalog on June 8, 2026, setting a June 22 remediation deadline for federal agencies.
- CVE-2026-42271 affects LiteLLM versions 1.74.2 through 1.83.6 and is classified as HIGH with CVSS scores ranging from 8.7 to 8.8.
- Horizon3.ai validated that CVE-2026-48710 bypasses authentication in deployments using Starlette ≤1.0.0, upgrading the flaw to unauthenticated RCE.
- The patch in LiteLLM v1.83.7 enforces the PROXY_ADMIN role on all MCP endpoints.
Attack Mechanism: From API Key to Proxy Shell
The vulnerability resides in two preview endpoints of the Model Context Protocol (MCP) in LiteLLM: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. According to the official CVE record, these endpoints accepted full server configurations for stdio transport, including user-controlled command, args, and env fields. The proxy executed the provided command as a subprocess on the host, inheriting the privileges of the LiteLLM process.
The existing protection mechanism was limited to proxy API key validation, lacking any role-based authorization checks. As the GitHub advisory via the CVE.org record reports, "any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host." This lack of segmentation between low-privileged internal keys and administrative capabilities effectively collapsed the security perimeter at the authenticated level.
The Chain That Eliminates Authentication: Starlette BadHost
While CVE-2026-42271 is severe, its impact is initially gated by the requirement of a valid API key. The threat escalated significantly when chained with CVE-2026-48710, a vulnerability in the Starlette library—a common dependency in the Python ASGI ecosystem—involving a Host header validation bypass in versions ≤ 1.0.0.
Researchers at Horizon3.ai, who discovered and validated the exploit chain, state that "CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0." This transforms the authenticated command injection into unauthenticated RCE. As the researchers noted, "This transforms the vulnerability into unauthenticated remote code execution with no credentials required." This combination resulted in the maximum CVSS 10.0 Critical rating.
"The chained vulnerability has been assessed as CVSS 10.0 Critical" — Horizon3.ai researchers
This mechanism illustrates a growing pattern in AI infrastructure: tools designed for rapid deployment accumulate complex dependencies without security models evolving at the same pace as adoption. Starlette is a foundational library, not a marginal component; its bypass serves as an impact accelerator for vulnerabilities that might otherwise be considered manageable.
Impact of the KEV Catalog and CISA Deadline
The inclusion in the KEV catalog is more than a technical formality. Under Binding Operational Directive 22-01, CISA requires federal agencies to apply the necessary patches by June 22, 2026. This regulatory pressure extends to the private sector through contractual standards and supply chains serving the federal government.
The KEV catalog describes CVE-2026-42271 as affecting a "common open-source component," highlighting the potential reach of the software. LiteLLM is a widely used AI gateway designed to unify access to various LLM providers (OpenAI, Anthropic, Azure, and self-hosted models) through a common API interface. Self-hosted deployments—typical in enterprise environments handling sensitive data—run the proxy with access to provider credentials, network secrets, and visibility into internal AI traffic.
Mitigation and Response
Priority actions identified by CISA, NVD records, and Horizon3.ai analysis include:
- Update LiteLLM to version 1.83.7 or later, which enforces the PROXY_ADMIN role on MCP endpoints.
- Update Starlette to version 1.0.1 or later to remediate CVE-2026-48710.
- Block access to the
/mcp-rest/test/connectionand/mcp-rest/test/tools/listendpoints at the reverse proxy level if they are not strictly required. - Restrict network access to exposed LiteLLM proxies to limit the attack surface in the event of residual bypasses.
- Monitor for unauthorized subprocess execution originating from the LiteLLM process.
Currently, there is no evidence linking the observed in-the-wild attacks to specific threat actors. Documentation does not specify whether the observed attacks utilize the full chain with CVE-2026-48710 or are limited to the authenticated variant using stolen or low-privilege API keys.
The Thin Line Between Convenience and Control
The structure of this vulnerability reveals a recurring design tension in modern AI infrastructure. The MCP preview endpoints are development features—"test connection," "test tools list"—that were exposed with executive privileges on production proxies. The separation between development and production environments, a traditional pillar of enterprise security, is being compressed by the "rapid deployment" logic permeating the AI tooling ecosystem.
The absence of role checks on MCP endpoints, combined with the vulnerable Starlette dependency, creates a cascade of impact that exceeds the sum of its parts. CVE-2026-42271 alone is rated HIGH; with CVE-2026-48710, it becomes a maximum-score Critical. This supply-chain amplification pattern is likely to recur as AI gateways solidify their position as critical infrastructure sitting between corporate data and external model providers.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://thehackernews.com/2026/06/litellm-flaw-cve-2026-42271-exploited.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-42271
- https://www.sentinelone.com/vulnerability-database/cve-2026-42271/
- https://horizon3.ai/attack-research/vulnerabilities/cve-2026-42271-chained-with-cve-2026-48710/
- https://windowsforum.com/threads/cisa-kev-update-exploited-cves-in-ai-litellm-and-check-point-vpn-act-now.423919/
- https://www.cve.org/CVERecord?id=CVE-2026-42271
- https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271