Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Threat actors are actively exploiting a critical chained vulnerability in LiteLLM<\/a>, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployments. Researchers at Horizon3.ai confirmed that combining two CVEs creates a CVSS 10.0 Critical attack path requiring zero credentials.<\/p>\n At the core of this threat is CVE-2026-42271<\/a>, a command injection flaw in LiteLLM\u2019s Model Context Protocol (MCP) server test endpoints. Specifically, the following endpoints accept full server configurations including commands, arguments, and environment variables \u2014 and spawn the supplied input as a subprocess on the host:<\/p>\n When initially disclosed on April 20, 2026, the flaw was considered limited in impact because access required a valid proxy API key. That assumption was dismantled when Horizon3.ai researchers chained<\/a> it with CVE-2026-48710, a Starlette \u201cBadHost\u201d Host Header validation bypass affecting Starlette versions 1.0.0 and earlier.<\/p>\n By manipulating the HTTP Host header to exploit the Starlette authentication bypass, attackers can sidestep LiteLLM\u2019s API key requirement entirely. The result is that unauthenticated remote code execution commands execute with the same privileges as the LiteLLM proxy process, with no login or API key required.<\/p>\n Affected versions span LiteLLM 1.74.2 through 1.83.6 on deployments whose dependency tree includes Starlette \u2264 1.0.0.<\/p>\n Successful exploitation of this chained vulnerability gives attackers significant reach into AI infrastructure. Once code execution is achieved, threat actors can:<\/p>\n Given that LiteLLM is widely used to route and manage API calls to large language models (LLMs) from providers like OpenAI, Anthropic, and Azure, a compromise of the gateway layer can cascade into broader AI supply chain exposure.<\/p>\n Security teams should monitor for the following signs of exploitation activity:<\/p>\n Organizations should immediately upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is updated to version 1.0.1 or later. If patching cannot be applied immediately, defenders should:<\/p>\n Given active in-the-wild exploitation, patching should be treated as an emergency priority for any organization running a self-hosted LiteLLM deployment.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n
POST \/mcp-rest\/test\/connection<\/code><\/li>\nPOST \/mcp-rest\/test\/tools\/list<\/code><\/li>\n<\/ul>\nLiteLLM RCE Vulnerability Exploited<\/strong><\/h2>\n
\n
Indicators of Compromise<\/strong><\/h2>\n
\n
\/mcp-rest\/test\/connection<\/code> or \/mcp-rest\/test\/tools\/list<\/code>\n<\/li>\nHost<\/code> header values in proxy logs<\/li>\n\n