The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** recently added a significant flaw impacting **BerriAI LiteLLM** to its **Known Exploited Vulnerabilities (KEV)** catalog. This addition signals evidence of active exploitation in the wild, urging immediate attention from IT security professionals. ### The LiteLLM Command Injection Vulnerability The vulnerability, tracked as **CVE-2026-42271**, is a high-severity command injection flaw with a CVSS score of 8.7. It allows any authenticated user to execute arbitrary commands on the host system. The affected versions of the **LiteLLM** Python package range from `>= 1.74.2` to `< 1.83.7`. According to a description shared by **BerriAI**, two specific endpoints—`POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list`—were at fault. These endpoints accepted a full server configuration in the request body, including `command`, `args`, and `env` fields used by the `stdio` transport. When invoked with a `stdio` configuration, the endpoints attempted to connect, inadvertently spawning the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The maintainers of the open-source AI gateway and Python SDK noted that these endpoints were only secured by a valid proxy API key. This meant any authenticated user, including those with privileged internal-user keys, could execute arbitrary commands on a susceptible system. The issue was addressed in version 1.83.7, which now requires the `PROXY_ADMIN` role for both test endpoints, aligning their security with the `save` endpoint. ### Unauthenticated Remote Code Execution via Chained Vulnerabilities Adding a critical layer of concern, **Horizon3.ai** recently disclosed research detailing how **CVE-2026-42271** can be chained with another vulnerability, **CVE-2026-48710**, to achieve unauthenticated remote code execution (RCE). **CVE-2026-48710** (CVSS score: 6.5) is a "BadHost" host header validation bypass vulnerability affecting **Starlette**, a lightweight Asynchronous Server Gateway Interface (**ASGI**) framework. This flaw impacts **Starlette** versions `≤ 1.0.0`. **Horizon3.ai** demonstrated that **CVE-2026-48710** can completely bypass the authentication mechanism in **LiteLLM** deployments where the dependency tree includes vulnerable **Starlette** versions. This transforms the original command injection into an unauthenticated RCE, requiring no credentials. The combined exploit chain carries a critical CVSS score of 10.0. Successful exploitation of this chain could allow attackers to execute arbitrary commands on the **LiteLLM** host, gain access to model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and potentially compromise downstream systems integrated with the gateway. ### Current Status and Recommendations While **CISA** confirms active exploitation of **CVE-2026-42271**, specific details regarding the threat actors, targeted entities, scale of attacks, or whether the chained RCE is being leveraged in the wild are currently unavailable. Users are strongly advised to update their **LiteLLM** instances to version 1.83.7 or later and **Starlette** to version 1.0.1 or later immediately. For those unable to patch immediately, the following mitigations are recommended: * Block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at the reverse proxy or API gateway. * Restrict network access to trusted segments. * Rotate credentials stored by the proxy. * Review logs for unusual Host header activity and subprocess execution events. This development follows closely on the heels of another critical SQL injection flaw in **LiteLLM**, **CVE-2026-42208** (CVSS score: 9.3), which came under active exploitation within 36 hours of its public disclosure, underscoring the urgency for timely patching of AI-related infrastructure.