Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A lapse in input validation allows an authenticated user to supply arbitrary command, arguments, and environment variables to a proxy server’s pre‑connection test endpoints. When the server attempts a stdio transport connection, those values are passed to the operating system as a subprocess, enabling the attacker to execute any command with the proxy process’s privileges. This flaw is a classic command injection that can compromise confidentiality, integrity, and availability of the host. The CVE notes a CVSS score of 8.7, indicating a high severity and significant risk if exploited.

Affected Systems

The issue affects BerriAI’s LiteLLM product, versions 1.74.2 through the pre‑1.83.7 releases. Any installation deploying a pre‑patched LiteLLM instance and using its authentication system is vulnerable; the flaw is contained to the preview endpoints used for Microsoft Cloud Platform (MCP) server configuration previews.

Risk and Exploitability

The vulnerability is accessible only to users possessing a valid proxy API key, yet no role or privilege check is performed. Because the endpoints accept full configuration payloads, an attacker can choose any command, bypassing typical operational constraints. The patch to version 1.83.7 resolves the injection, so the attack vector disappears once upgraded. The lack of an EPSS score and absence from the KEV list suggests no widely known exploits yet, but the high CVSS score signals a serious potential threat landscape.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later where the command injection flaw has been fixed.
  • Restrict or revoke API keys that are not required for production usage; enforce the principle of least privilege for key roles.
  • If an upgrade cannot be applied immediately, disable the /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints via firewall or reverse proxy rules.
  • Audit and monitor the proxy’s process list and logs for unexpected subprocesses, and set up alerts for execution of unknown commands.
  • Review the LiteLLM configuration to ensure that only authorized internal users are assigned API keys and that the stdio transport is disabled if not needed.

Generated by OpenCVE AI on May 8, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4p8-mg3p-g94g LiteLLM: Authenticated command execution via MCP stdio test endpoints
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Title LiteLLM: Authenticated command execution via MCP stdio test endpoints
Weaknesses CWE-77
CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N'}

Subscriptions

Berriai Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:35:16.758Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:21.820

Modified: 2026-05-08T04:16:21.820

Link: CVE-2026-42271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses