Issuer: Adverse Trace Date issued: 2026-06-09 Version: 1.0
1. Executive summary
Active exploitation of CVE-2026-42271, a command injection flaw in BerriAI LiteLLM, has been confirmed by CISA and added to the Known Exploited Vulnerabilities (KEV) catalog. While the base vulnerability requires authentication, threat actors are chaining it with CVE-2026-48710 (Starlette "BadHost" bypass) to achieve unauthenticated remote code execution (RCE). EMEA financial services utilizing LiteLLM for AI gateway operations face immediate risk of full host compromise and data exfiltration if running versions 1.74.2 through 1.83.6. Immediate patching to version 1.83.7 or strict network isolation is required to meet DORA incident prevention obligations.
2. Regulatory framing
| Regulation | Article | Practical Impact for Financial Entities |
|---|---|---|
| DORA | Art. 17 | ICT Risk Management: Entities must immediately identify if LiteLLM is in their ICT asset inventory and apply the vendor patch (v1.83.7) to mitigate the identified vulnerability. |
| DORA | Art. 19 | Incident Reporting: Successful exploitation resulting in data breach or service disruption constitutes a "major" incident trigger, requiring initial notification to the competent authority within 24 hours. |
| DORA | Art. 28-30 | Third-Party Risk: If LiteLLM is provided via a third-party cloud provider, entities must verify the provider's remediation status under BOD 22-01 guidance and contractual SLAs. |
| NIS2 | Art. 21(2)(d) | Supply Chain Security: Requires immediate assessment of the software supply chain where LiteLLM is integrated, ensuring updates are applied to prevent unauthorized access. |
| NIS2 | Art. 23 | Vulnerability Handling: Mandates the implementation of policies for receiving, handling, and remediating vulnerabilities, specifically addressing the CISA KEV deadline of 2026-06-22. |
3. Attack chain
- Reconnaissance/Initial Access: Attacker identifies a LiteLLM instance running a vulnerable version (< 1.83.7) behind a Starlette-based ASGI framework.
- Authentication Bypass: Attacker exploits CVE-2026-48710 ("BadHost" host header validation bypass) in the Starlette dependency to circumvent LiteLLM's API key authentication checks.
- Command Injection: Attacker sends a crafted request to the
POST /mcp-rest/test/connectionorPOST /mcp-rest/test/tools/listendpoints. - Execution: The vulnerable endpoint accepts a
stdioconfiguration containing arbitrarycommand,args, andenvfields in the request body. - Compromise: The LiteLLM proxy spawns the supplied command as a subprocess with the privileges of the proxy process, resulting in Remote Code Execution (RCE).
Unconfirmed Steps: While Horizon3.ai has demonstrated the chaining of CVE-2026-42271 with CVE-2026-48710 in proof-of-concept scenarios, specific attribution of active wild campaigns to a particular threat group or ransomware family remains unconfirmed. CISA confirms active exploitation but has not publicly disclosed specific threat actor TTPs beyond the vulnerability chain.
4. Mitigation & containment
P1: Immediate (Within 24h) * Patch: Upgrade BerriAI LiteLLM to version 1.83.7 or later. This version restricts the /mcp-rest/test/* endpoints to users with the PROXY_ADMIN role. * Command (pip): pip install --upgrade litellm==1.83.7 * Command (poetry): poetry add litellm@^1.83.7 * Isolate (If patching is delayed): Block external access to LiteLLM management ports (default 4000/tcp) at the WAF/Load Balancer level. Allow only trusted internal management subnets. * Disable Endpoints: If custom configuration allows, explicitly disable or remove the mcp-rest module routes in the LiteLLM configuration file (litellm_config.yaml) until patched.
P2: Short-term (Within 72h) * Dependency Audit: Scan all container images and Python environments for Starlette versions vulnerable to CVE-2026-48710. Upgrade Starlette to the latest secure version regardless of LiteLLM patch status to remove the authentication bypass vector. * Privilege Review: Audit all issued API keys. Ensure no "internal-user" or low-privilege keys have unnecessary scope. Rotate all keys issued prior to 2026-06-09.
P3: Medium-term (Within 7 days) * Process Hardening: Run the LiteLLM proxy process under a restricted service account with minimal filesystem permissions (no write access to /etc, /bin, or application source directories). * Network Segmentation: Enforce strict egress filtering on hosts running LiteLLM to prevent outbound C2 connections following potential RCE.
5. Indicators of compromise
No specific file hashes, IP addresses, or domains associated with active exploitation campaigns are available in the source material at this time. The primary indicators are the presence of vulnerable software versions and specific HTTP request patterns.
# No static IOCs (hashes/domains/IPs) available in source material.
# Detection relies on version identification and behavioral patterns.
6. Detection
The following rules detect the presence of vulnerable versions and the specific HTTP request patterns associated with the exploitation of CVE-2026-42271 and the CVE-2026-48710 chain.
rule LiteLLM_CVE_2026_42271_Exploit_Attempt {
meta:
author = "Adverse Trace"
date = "2026-06-09"
description = "Detects HTTP requests targeting vulnerable LiteLLM MCP test endpoints with stdio command injection payloads."
reference = "https://thehackernews.com/2026/06/litellm-flaw-cve-2026-42271-exploited.html"
cve = "CVE-2026-42271"
strings:
$uri_test_conn = "/mcp-rest/test/connection" nocase
$uri_test_tools = "/mcp-rest/test/tools/list" nocase
$param_command = "\"command\"" nocase
$param_args = "\"args\"" nocase
$param_env = "\"env\"" nocase
$transport_stdio = "\"stdio\"" nocase
condition:
(http_request_uri contains $uri_test_conn or http_request_uri contains $uri_test_tools) and
(http_request_body contains $param_command and http_request_body contains $transport_stdio)
}
title: LiteLLM Command Injection via MCP Endpoint
id: 8a9b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects POST requests to LiteLLM MCP test endpoints containing command injection parameters.
author: Adverse Trace
date: 2026/06/09
references:
- https://thehackernews.com/2026/06/litellm-flaw-cve-2026-42271-exploited.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-42271
logsource:
category: webserver
service: apache
definition: 'Requires logging of request body (POST data)'
detection:
selection_uri:
c-uri|contains:
- '/mcp-rest/test/connection'
- '/mcp-rest/test/tools/list'
selection_method:
c-method: 'POST'
selection_payload:
c-postbody|contains:
- '"command"'
- '"stdio"'
condition: all of selection_*
falsepositives:
- Legitimate administrative use of MCP testing by authorized admins (verify source IP and user agent).
level: critical
tags:
- attack.initial_access
- attack.t1190
- cve.2026-42271
7. Sources
- The Hacker News, "LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE", 2026-06-09, https://thehackernews.com/2026/06/litellm-flaw-cve-2026-42271-exploited.html
- CISA / NIST NVD, "CVE-2026-42271 — BerriAI LiteLLM Command Injection Vulnerability", https://nvd.nist.gov/vuln/detail/CVE-2026-42271
- CISA / NIST NVD, "CVE-2026-42208 — BerriAI LiteLLM SQL Injection Vulnerability", https://nvd.nist.gov/vuln/detail/CVE-2026-42208
8. Adverse Trace position
We assess the severity of this threat as Critical for any EMEA financial entity deploying LiteLLM in an internet-facing or semi-trusted zone. The combination of an authenticated command injection flaw with a publicly known authentication bypass (CVE-2026-48710) creates a trivial path to unauthenticated RCE. The inclusion in the CISA KEV catalog with a 2026-06-22 deadline mandates immediate action under DORA Article 17. We will monitor threat intelligence feeds for specific IOCs related to post-exploitation activity and update this advisory if attribution becomes available. Clients should prioritize patching to v1.83.7 before the CISA deadline.
Published via PulseTrace — Adverse Trace threat intelligence.