Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployments. Researchers at Horizon3.ai confirmed that combining two CVEs creates a CVSS 10.0 Critical attack path requiring zero credentials.
At the core of this threat is CVE-2026-42271, a command injection flaw in LiteLLM’s Model Context Protocol (MCP) server test endpoints. Specifically, the following endpoints accept full server configurations including commands, arguments, and environment variables — and spawn the supplied input as a subprocess on the host:
POST /mcp-rest/test/connection
POST /mcp-rest/test/tools/list
When initially disclosed on April 20, 2026, the flaw was considered limited in impact because access required a valid proxy API key. That assumption was dismantled when Horizon3.ai researchers chained it with CVE-2026-48710, a Starlette “BadHost” Host Header validation bypass affecting Starlette versions 1.0.0 and earlier.
By manipulating the HTTP Host header to exploit the Starlette authentication bypass, attackers can sidestep LiteLLM’s API key requirement entirely. The result is that unauthenticated remote code execution commands execute with the same privileges as the LiteLLM proxy process, with no login or API key required.
Affected versions span LiteLLM 1.74.2 through 1.83.6 on deployments whose dependency tree includes Starlette ≤ 1.0.0.
LiteLLM RCE Vulnerability Exploited
Successful exploitation of this chained vulnerability gives attackers significant reach into AI infrastructure. Once code execution is achieved, threat actors can:
Execute arbitrary OS commands on the LiteLLM host
Steal API keys and model provider credentials stored by the proxy
Access secrets and environment variables in the proxy process
Move laterally into connected AI infrastructure and downstream systems
Given that LiteLLM is widely used to route and manage API calls to large language models (LLMs) from providers like OpenAI, Anthropic, and Azure, a compromise of the gateway layer can cascade into broader AI supply chain exposure.
Indicators of Compromise
Security teams should monitor for the following signs of exploitation activity:
Unexpected subprocess execution originating from the LiteLLM process
HTTP requests targeting /mcp-rest/test/connection or /mcp-rest/test/tools/list
Unusual or malformed Host header values in proxy logs
Unauthorized command execution events on the host system
Organizations should immediately upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is updated to version 1.0.1 or later. If patching cannot be applied immediately, defenders should:
Block external access to the MCP test endpoints
Restrict proxy network access to trusted segments only
Rotate all credentials and API keys stored by the proxy
Review logs for anomalous Host header values and subprocess events
Given active in-the-wild exploitation, patching should be treated as an emergency priority for any organization running a self-hosted LiteLLM deployment.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands appeared first on Cyber Security News.
