External risk intelligence

LiteLLM Command Injection via Unrestricted Configuration

CVE advisoryKnown Exploit

CVE-2026-42271

A vulnerability in the LiteLLM AI Gateway allows authenticated users to execute arbitrary commands by sending a crafted server configuration to specific endpoints. This could result in the compromise of the host system with the privileges of the proxy process. The issue has been patched in version 1.83.7.

4Halo Surface Signal

OS Command Injection

Litellm

1.74.2 to before 1.83.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-42271

LiteLLM is designed as an AI gateway or proxy server, which is commonly deployed as an internet-facing service or an edge-accessible API endpoint to facilitate LLM API calls. Its primary role as a centralized gateway for AI services makes it highly probable to be exposed to network traffic from external or internet-connected environments.

PCI scan relevance

PCI Relevance for CVE-2026-42271

Yes

CVE-2026-42271 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in LiteLLM allows authenticated users to execute arbitrary commands on the host system, posing a significant risk and likely causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the LiteLLM AI Gateway could allow authenticated users to execute arbitrary commands on the host system. This is due to how certain endpoints handled server configurations, potentially leading to unauthorized command execution with the privileges of the proxy process. The issue has been patched in version 1.83.7.

  • Any authenticated user can run commands.
  • It affects a central AI gateway service.
  • Confirm if your AI gateway is exposed.

Attack Path

How an attacker could exploit the issue

An attacker with a valid API key can send a crafted request to specific LiteLLM endpoints. These endpoints process server configurations, and if a malicious command is included in the configuration, LiteLLM will execute it as a subprocess on the host. This allows an attacker to run arbitrary commands with the privileges of the LiteLLM process.

  • Requires authenticated access.
  • Triggered by sending a malicious server configuration.
  • Leads to arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could execute arbitrary commands on the LiteLLM proxy server host. This could occur when the server attempts to test an MCP server configuration, if the affected endpoints are called with a stdio configuration and a malicious command.

  • Arbitrary command execution on host.
  • Endpoints accept and run commands.
  • Compromise of the proxy host system.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for managing API gateways, AI infrastructure, or application platforms should prioritize this vulnerability. The immediate practical step is to identify all instances of the affected LiteLLM proxy, confirm its accessibility from the network, and determine its business criticality to prioritize remediation efforts.

  • Identify and inventory affected systems.
  • Verify network exposure and impact.
  • Plan remediation based on risk.

Frequently asked questions

What is LiteLLM and why is it used?

LiteLLM is a proxy server, often called an AI Gateway, designed to translate various LLM API requests into a unified format. It acts as a central hub for applications to interact with multiple AI models, streamlining authentication and routing for developers who need to manage AI API calls efficiently within their infrastructure.

How does CVE-2026-42271 lead to command injection?

This vulnerability falls under the CWE-77 and CWE-78 weakness classes, which involve improper neutralization of special elements used in commands. In LiteLLM, specific endpoints designed to preview configurations would accept server settings and unintentionally execute them as subprocesses on the host. This effectively allowed a user-supplied string to be treated as a system command.

What triggers the vulnerability in LiteLLM?

The flaw is triggered when an authenticated user sends a request to specific MCP preview endpoints containing a malicious stdio server configuration. The bug is not triggered by standard AI API traffic or by users lacking a valid proxy API key. The system only executes the code when it attempts to validate or test the connection using the attacker-supplied configuration details.

Is my deployment at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a high-priority concern because LiteLLM is typically deployed as an internet-facing gateway or an edge service. Because these services are often positioned to handle external network traffic, any internal or external user holding a valid API key has the potential to reach these vulnerable endpoints and gain unauthorized control over the proxy host.

Do I need to update my LiteLLM instance?

Yes. The first step is to inventory your environment to locate all running instances of LiteLLM version 1.74.2 through 1.83.6. Once identified, you should prioritize upgrading these instances to version 1.83.7, which contains the necessary patches to disable the vulnerable endpoint logic and prevent arbitrary command execution.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified