Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 8.7 High
EPSS: 75.0% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is caused by insufficient input validation in the preview endpoints /mcp-rest/test/connection and /mcp-rest/test/tools/list. When a client supplies a full server configuration that uses the stdio transport, the proxy attempts to connect and spawns a subprocess with the supplied command, arguments, and environment variables. Because the command is executed with the privileges of the proxy process, an attacker can run arbitrary code on the host. This is a classic command‑injection weakness (CWE‑77, CWE‑78) that can compromise confidentiality, integrity, and availability.

Affected Systems

The issue affects BerriAI’s LiteLLM AI gateway, from version 1.74.2 up to the pre‑1.83.7 stable release. Any installation that exposes the two preview endpoints to users with an API key is vulnerable. Versions 1.83.7 and newer contain the fix.

Risk and Exploitability

The vulnerability is only reachable to users who possess a valid proxy API key, with no role or privilege check performed. The EPSS score of 75% indicates a high likelihood of exploitation, and the listing in the CISA KEV catalog confirms active exploitation. The CVSS score of 8.7 classifies it as high severity. An attacker can choose any command and run it with the proxy process's privileges, enabling potential lateral movement, credential theft, or full host takeover. The likely attack vector is through authenticated API key usage on these preview endpoints.

Generated by OpenCVE AI on June 24, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later where the flaw is corrected.
  • If an upgrade cannot be applied immediately, revoke or restrict any API keys that allow access to the preview endpoints so that only trusted users retain access.
  • Block the /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints by implementing firewall or reverse proxy rules to prevent the execution path.

Generated by OpenCVE AI on June 24, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4p8-mg3p-g94g LiteLLM: Authenticated command execution via MCP stdio test endpoints
History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-08T00:00:00+00:00', 'dueDate': '2026-06-22T00:00:00+00:00'}

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
Title LiteLLM: Authenticated command execution via MCP stdio test endpoints
Weaknesses CWE-77
CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N'}

Subscriptions

Berriai Litellm
Litellm Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T03:55:26.815Z

Reserved: 2026-04-26T11:53:27.707Z

Link: CVE-2026-42271

cve-icon Vulnrichment

Updated: 2026-05-08T14:31:02.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:21.820

Modified: 2026-06-17T10:47:36.560

Link: CVE-2026-42271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')