External risk intelligence

LiteLLM MCP Server Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-30623

LiteLLM is frequently deployed as an API gateway or middleware service for LLM applications. Because it often acts as an externally reachable interface for managing AI model requests and server configurations, the functionality to add and execute MCP servers is likely exposed to network-based inputs, making it a common target for internet-facing service exploitation.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

LiteLLM, a tool used in AI applications, has a critical vulnerability that could allow attackers to run unauthorized commands on affected systems. This issue arises from how the application handles server configurations, potentially leading to unauthorized access and control. The main concern is confirming if and where this specific technology is in use within our environment.

  • Unvalidated server commands allow unauthorized code execution.
  • Critical flaw could impact systems managing AI model requests.
  • Confirm relevance and exposure for AI application environments.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted JSON configuration to the LiteLLM application's MCP server creation functionality. This configuration allows the attacker to specify arbitrary command and argument values, which LiteLLM then executes on the host system without proper validation. This can lead to the execution of unauthorized operating system commands, potentially compromising the server.

  • Network access to MCP server creation required.
  • Arbitrary JSON configuration triggers execution.
  • Remote code execution with process privileges.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in LiteLLM's MCP server creation functionality could allow unauthenticated attackers to execute arbitrary operating system commands on the host system. This occurs when the application processes JSON configurations that specify command and argument values, which are then executed without validation. The potential impact depends on the privileges of the running LiteLLM process.

  • Arbitrary commands on host system.
  • Unvalidated configuration inputs.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical remote code execution vulnerability in LiteLLM's MCP server functionality likely impacts teams responsible for AI infrastructure, application development, or platform management. The first practical step is to identify all LiteLLM deployments, determine their exposure and criticality, and confirm ownership. Remediation planning should then be prioritized based on these findings.

  • Identify LiteLLM instances and ownership.
  • Verify MCP server configuration and reachability.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is LiteLLM?

LiteLLM is a software utility that functions as an API gateway or middleware service. It is widely used by developers to unify and manage interactions across various Large Language Models (LLMs), simplifying the process of routing requests and handling model configurations within AI-powered applications.

How does CVE-2026-30623 impact LiteLLM?

This vulnerability is classified as Improper Neutralization of Special Elements used in an OS Command (CWE-77). It means the software fails to properly sanitize input when processing MCP server configurations, allowing an attacker to inject and execute their own operating system commands directly on the host machine.

What triggers the command execution in this CVE?

The flaw is triggered when the application processes a specially crafted JSON configuration provided to the MCP server creation function. Commands are not executed by simply visiting the site or performing standard API requests; they require an attacker to successfully submit this specific, malicious configuration payload.

Is my LiteLLM instance at risk?

Halo Surface Signal indicates that because LiteLLM is frequently deployed as an externally reachable API gateway, it is often exposed to network-based inputs. If your instance is configured to accept MCP server additions from network sources, it is at higher risk of being targeted by unauthorized actors.

How should I respond to this threat?

Begin by inventorying all LiteLLM deployments within your infrastructure to establish ownership and criticality. Once identified, audit your MCP server configurations and restrict access to the server creation functionality to prevent unauthorized, unvalidated command inputs while planning your next maintenance steps.

References