LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the

According to CISA and vulnerability reports, CVE-2026-42271 is a high-severity command injection flaw in BerriAI LiteLLM’s MCP test endpoints that allows arbitrary command execution on the LiteLLM host by any authenticated user, with active exploitation observed in the wild.[2] Horizon3.ai further shows that when chained with Starlette host header bypass CVE-2026-48710, this becomes unauthenticated remote code execution, enabling attackers to execute commands, access model provider credentials, and move laterally into connected AI infrastructure.[1] From a CyberSE.AI perspective, this illustrates a critical AI supply chain and gateway risk: organizations relying on LiteLLM as an AI proxy can have their entire model access layer, stored API keys, and downstream integrations compromised if dependencies and SBOM are not tightly managed and patched. Practically, enterprises should treat AI gateways as high-value infrastructure, implement SBOM-driven dependency monitoring, restrict and harden test/MCP endpoints, rotate all secrets integrated with the proxy, and use continuous red teaming to validate that AI access layers are not exposing unauthenticated or low-privilege paths to remote