A critical LiteLLM RCE vulnerability is now being actively exploited, exposing AI infrastructure to full system compromise. Security researchers have identified a chained attack combining two flaws that allow unauthenticated remote code execution (RCE) with a maximum CVSS score of 10.0.
The issue affects LiteLLM, a widely adopted open-source AI gateway used to route requests to large language models (LLMs) such as OpenAI, Anthropic, and Azure. The flaw enables attackers to execute arbitrary commands on vulnerable systems—without authentication—raising serious concerns for organizations running self-hosted deployments.
Key Details
The attack chain involves two vulnerabilities:
- CVE-2026-42271 — Command injection in LiteLLM MCP test endpoints
- CVE-2026-48710 — Starlette “BadHost” Host header validation bypass
Initially disclosed on April 20, 2026, CVE-2026-42271 was considered low risk because it required a valid API key. However, researchers at Horizon3.ai demonstrated that when combined with the Starlette flaw, attackers can completely bypass authentication.
Affected systems include:
- LiteLLM versions 1.74.2 through 1.83.6
- Deployments using Starlette ≤ 1.0.0
The exploitation targets two exposed MCP endpoints:
POST /mcp-rest/test/connectionPOST /mcp-rest/test/tools/list
These endpoints accept full configuration input—including commands—which are executed directly on the host system.
Technical Analysis
Command Injection via MCP Endpoints
The core vulnerability lies in how LiteLLM processes user-supplied data.
Attackers can submit malicious payloads containing:
- System commands
- Environment variables
- Execution parameters
The application then spawns these inputs as a subprocess, effectively executing arbitrary code on the server.
This aligns with OS command injection (CWE-78), a high-impact vulnerability class commonly exploited in real-world breaches.
Starlette Host Header Bypass
The second flaw, CVE-2026-48710, affects the underlying Starlette framework.
By manipulating the HTTP Host header, attackers can:
- Bypass authentication controls
- Evade API key validation
- Access protected endpoints without credentials
When chained together:
- The attacker sends a crafted HTTP request with a malicious Host header
- Authentication checks are bypassed
- The attacker accesses MCP test endpoints
- Command injection payload executes on the host
This results in zero-click, unauthenticated RCE, making it one of the most severe exploit scenarios in AI infrastructure.
Impact and Risks
Immediate Risks
Successful exploitation allows attackers to:
- Execute arbitrary OS commands
- Extract API keys and LLM provider credentials
- Access sensitive environment variables
- Control the LiteLLM gateway process
Broader Implications
Because LiteLLM acts as a central gateway for AI workloads, compromise can cascade into:
- Cloud infrastructure compromise (AWS, Azure, GCP)
- Exposure of LLM API keys and tokens
- Unauthorized access to downstream systems
- Potential AI supply chain attacks
High-Risk Environments
- AI platforms integrating multiple LLM providers
- Enterprises using LiteLLM as a unified API proxy
- Dev environments storing API keys and secrets
- Production AI pipelines and microservices
Given active exploitation in the wild, the risk level is considered critical and time-sensitive.
Expert Recommendations
1. Patch Immediately
- Upgrade LiteLLM to version 1.83.7 or later
- Update Starlette to version 1.0.1 or higher
2. Restrict MCP Endpoint Access
- Block external access to:
/mcp-rest/test/connection/mcp-rest/test/tools/list
- Limit access to internal or trusted networks only
3. Monitor for Indicators of Compromise
Watch for:
- Unexpected subprocess execution events
- Suspicious API calls to MCP endpoints
- Abnormal Host header values in logs
- Unauthorized command execution activity
4. Rotate Credentials
- Immediately rotate:
- API keys (OpenAI, Anthropic, Azure)
- Environment secrets
- Access tokens stored in LiteLLM
5. Harden Network and Runtime Security
- Segment AI infrastructure from external networks
- Apply least privilege to LiteLLM processes
- Use runtime security tools to detect anomalies
6. Enhance Logging and Detection
- Enable detailed HTTP request logging
- Integrate logs into SIEM/SOC platforms
- Alert on suspicious Host header patterns
Industry Context
This incident highlights a growing trend: AI infrastructure is becoming a high-value target for attackers.
Unlike traditional APIs, AI gateways like LiteLLM aggregate:
- Multiple cloud credentials
- Sensitive prompts and data flows
- Access to downstream services
This creates a single point of failure that attackers can exploit.
Additionally, the vulnerability chain demonstrates how dependency flaws (Starlette) can amplify application-layer vulnerabilities, a pattern increasingly seen in modern supply chain attacks.
As AI adoption accelerates, security gaps in frameworks, proxies, and orchestration layers are emerging as a critical risk area.
Conclusion
The active exploitation of the LiteLLM RCE vulnerability underscores the urgent need to secure AI infrastructure. A simple chained exploit now allows attackers to bypass authentication and execute commands on exposed systems.
Organizations using LiteLLM must treat this as an emergency patching priority. Failure to act quickly could result in credential theft, infrastructure compromise, and broader supply chain exposure across AI-driven environments.
FAQ SECTION
What is the LiteLLM RCE vulnerability?
It is a critical flaw that allows attackers to execute arbitrary commands on LiteLLM servers without authentication.
Which CVEs are involved in the attack?
The exploit chain combines CVE-2026-42271 (command injection) and CVE-2026-48710 (Host header bypass).
Who is affected?
Organizations running LiteLLM versions 1.74.2 to 1.83.6 with vulnerable Starlette dependencies.
How can the vulnerability be exploited?
Attackers manipulate the Host header to bypass authentication and send malicious payloads to MCP endpoints that execute commands.
How do I protect my systems?
Upgrade LiteLLM and Starlette immediately, restrict endpoint access, rotate credentials, and monitor logs for suspicious activity.
