Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands

Threat actors are actively exploiting a critical chained vulnerability in LiteLLM, a popular open-source AI gateway proxy, allowing unauthenticated remote code execution (RCE) on vulnerable deployments. Researchers at Horizon3.ai confirmed that combining two CVEs creates a CVSS 10.0 Critical attack path requiring zero credentials.

At the core of this threat is CVE-2026-42271, a command injection flaw in LiteLLM’s Model Context Protocol (MCP) server test endpoints. Specifically, the following endpoints accept full server configurations including commands, arguments, and environment variables — and spawn the supplied input as a subprocess on the host:

• POST /mcp-rest/test/connection
• POST /mcp-rest/test/tools/list

When initially disclosed on April 20, 2026, the flaw was considered limited in impact because access required a valid proxy API key. That assumption was dismantled when Horizon3.ai researchers chained it with CVE-2026-48710, a Starlette “BadHost” Host Header validation bypass affecting Starlette versions 1.0.0 and earlier.

By manipulating the HTTP Host header to exploit the Starlette authentication bypass, attackers can sidestep LiteLLM’s API key requirement entirely. The result is that unauthenticated remote code execution commands execute with the same privileges as the LiteLLM proxy process, with no login or API key required.

Affected versions span LiteLLM 1.74.2 through 1.83.6 on deployments whose dependency tree includes Starlette ≤ 1.0.0.

LiteLLM RCE Vulnerability Exploited

Successful exploitation of this chained vulnerability gives attackers significant reach into AI infrastructure. Once code execution is achieved, threat actors can:

• Execute arbitrary OS commands on the LiteLLM host
• Steal API keys and model provider credentials stored by the proxy
• Access secrets and environment variables in the proxy process
• Move laterally into connected AI infrastructure and downstream systems

Given that LiteLLM is widely used to route and manage API calls to large language models (LLMs) from providers like OpenAI, Anthropic, and Azure, a compromise of the gateway layer can cascade into broader AI supply chain exposure.

Indicators of Compromise

Security teams should monitor for the following signs of exploitation activity:

• Unexpected subprocess execution originating from the LiteLLM process
• HTTP requests targeting /mcp-rest/test/connection or /mcp-rest/test/tools/list
• Unusual or malformed Host header values in proxy logs
• Unauthorized command execution events on the host system

Organizations should immediately upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is updated to version 1.0.1 or later. If patching cannot be applied immediately, defenders should:

• Block external access to the MCP test endpoints
• Restrict proxy network access to trusted segments only
• Rotate all credentials and API keys stored by the proxy
• Review logs for anomalous Host header values and subprocess events

Given active in-the-wild exploitation, patching should be treated as an emergency priority for any organization running a self-hosted LiteLLM deployment.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.