CISA added CVE-2026-42271 — a high-severity command injection vulnerability in BerriAI’s LiteLLM — to its Known Exploited Vulnerabilities catalog on June 8, with a compliance deadline of June 22 for federal agencies under Binding Operational Directive 22-01. LiteLLM is an open-source AI proxy and gateway platform that development teams use to route API calls across multiple large language model providers — OpenAI, Anthropic Claude, Google Gemini, Azure OpenAI, and AWS Bedrock — through a single unified interface. The KEV addition constitutes official US government confirmation that CVE-2026-42271 is being actively exploited in the wild.
CVE-2026-42271: Command Injection in LiteLLM’s MCP Test Endpoints
CVE-2026-42271 carries a CVSS v3.1 score of 8.8 HIGH and a CVSS v4.0 score of 8.7 HIGH. It is classified under CWE-77 and CWE-78 — improper neutralization of special elements used in OS commands. The vulnerability resides in LiteLLM’s MCP server preview feature, specifically two HTTP endpoints: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. Both endpoints accepted configuration objects that included command and environment fields and passed them directly to a subprocess spawned on the proxy host, executing the supplied command with the privileges of the LiteLLM proxy process.
The CVSS scores reflect the flaw’s characteristics: low attack complexity, no user interaction required, and high impact across confidentiality, integrity, and availability. The attack requires only network access to the LiteLLM instance and a valid API key — no elevated role or administrator account needed.
How a Valid LiteLLM API Key Enables OS Command Execution via /mcp-rest/test
The critical design flaw in CVE-2026-42271 is the absence of role verification on the vulnerable endpoints. Both POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list required only a valid LiteLLM API key — the same credential issued to developers for standard API access. A lower-privilege developer account with no administrative rights was sufficient to exploit the flaw.
An attacker who obtains a valid API key through credential theft, phishing, or access to an exposed credentials file sends a single POST request to either endpoint with their desired operating system command in the request body. The LiteLLM proxy executes that command as its service account. In production deployments, LiteLLM service accounts typically hold broad internal network access and filesystem permissions — allowing lateral movement beyond the immediate host.
The primary target for exploitation after gaining OS access is LiteLLM’s configuration. Production LiteLLM deployments are configured with the AI provider credentials used to authenticate API calls: OpenAI API keys, AWS IAM access tokens, Azure Service Principal credentials, Anthropic API keys, and similar. An attacker who reads the LiteLLM configuration file on disk exfiltrates all stored credentials in a single operation — stealing access to the organization’s entire AI provider stack alongside OS-level persistence on the proxy host.
Versions 1.74.2 Through 1.83.6 Affected: LiteLLM 1.83.7 Contains the Fix
CVE-2026-42271 affects LiteLLM versions 1.74.2 through 1.83.6. BerriAI patched the vulnerability in version 1.83.7. The affected version range spans a substantial deployment window, and the attack’s low complexity means any instance within that range accessible over the network is exploitable by any attacker in possession of a valid API key.
For organizations unable to upgrade immediately, restricting or blocking network access to the /mcp-rest/test/ endpoint path at an API gateway, reverse proxy, or network firewall provides a partial mitigation while the upgrade is prepared and tested. This path-level block prevents exploitation of the specific vulnerable endpoints without requiring a full LiteLLM upgrade cycle.
CISA’s CVE-2026-42271 KEV Entry Triggers BOD 22-01 Federal Patch Mandate
CISA’s addition of CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8 carries direct compliance obligations for US federal civilian executive branch agencies. Under Binding Operational Directive 22-01, federal agencies are required to remediate KEV-listed vulnerabilities by their assigned due dates. The June 22 deadline gives federal agencies 14 days from the KEV addition to apply the LiteLLM 1.83.7 patch or implement approved compensating controls.
The same day’s KEV update also added CVE-2026-50751 — a Check Point Security Gateway authentication bypass — making June 8 one of the few days in 2026 when CISA cataloged two high-profile actively exploited vulnerabilities in a single update. For federal environments running LiteLLM in any AI infrastructure capacity, the June 22 deadline is the governing compliance trigger, but the active exploitation confirmation in the KEV entry removes any basis for a delayed remediation response.
Organizations running LiteLLM 1.83.6 or earlier in production AI platforms, development pipelines, or internal tooling should treat the KEV addition as the authoritative signal to prioritize the upgrade to 1.83.7. The attack path — one HTTP request, no elevated role, full OS access, all AI provider credentials at risk — requires no specialized tooling or extended access to execute against an unpatched, network-accessible instance.
