Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 8.7 High
EPSS: 80.2% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

LiteLLM is an AI gateway that forwards requests to LLM APIs. Between versions 1.74.2 and prior to 1.83.7 two preview endpoints – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – allowed a client to send a complete server configuration, including the command, arguments, and environment variables used by the stdio transport. When these endpoints were called, the gateway attempted to connect, which started the supplied command as a subprocess on the host machine with the privileges of the LiteLLM process. Because no role check was performed, any authenticated API key holder, even one with a low‑privilege internal‑user key, could trigger this path and execute arbitrary code on the host. This flaw is a classic command‑injection weakness identified by CWE‑77 and CWE‑78 and enables an attacker to compromise confidentiality, integrity, and availability.

Affected Systems

The issue affects LiteLLM installations sourced from BerriAI between version 1.74.2 and the pre‑1.83.7 stable release. Any deployment that exposes the two preview endpoints to clients with a valid API key is vulnerable. The vulnerability was patched in version 1.83.7 and later releases.

Risk and Exploitability

The flaw is only reachable to users who possess a valid proxy API key, and no additional role or privilege check is performed. The EPSS score of 80% indicates a high likelihood that the vulnerability is being sought or exploited by threat actors. The CVSS score of 8.7 classifies it as high severity. It is listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker can choose any command and run it with the proxy process’s privileges, which could lead to lateral movement, credential theft, or full host takeover. The likely attack vector is authenticated API key usage on the preview endpoints.

Generated by OpenCVE AI on July 16, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later where the flaw is fixed.
  • If an upgrade cannot be applied immediately, revoke or restrict any API keys that grant access to the preview endpoints so that only trusted users retain access.
  • Block the /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints using firewall or reverse‑proxy rules to prevent the execution path.

Generated by OpenCVE AI on July 16, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4p8-mg3p-g94g LiteLLM: Authenticated command execution via MCP stdio test endpoints
History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 08 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-08T00:00:00+00:00', 'dueDate': '2026-06-22T00:00:00+00:00'}


Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Title LiteLLM: Authenticated command execution via MCP stdio test endpoints
Weaknesses CWE-77
CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-15T00:57:49.325Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42271

cve-icon Vulnrichment

Updated: 2026-05-08T14:31:02.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:21.820

Modified: 2026-06-17T10:47:36.560

Link: CVE-2026-42271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T01:00:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')