Vulnerability  ·  2026-07-17

LiteLLM MCP Server Creation — Command Injection via Unvalidated JSON Config (STDIO Transport)

VulnerabilityHigh impactGlobalCVE-2026-30623
LiteLLM's MCP server creation functionality passes user-specified 'command' and 'args' fields from JSON configuration directly to a subprocess call without sanitization, root-caused in Anthropic's MCP SDK StdioServerParameters class, which LiteLLM (and over a dozen other AI platforms) inherited.
LiteLLM is one of the most widely deployed LLM gateway/proxy layers in production AI stacks; this flaw allows any party able to influence MCP server configuration (including via prompt injection in some deployments) to gain full remote code execution on the gateway host, exposing every proxied model API key and any connected internal service.
LiteLLM allows adding MCP servers via a JSON configuration that specifies arbitrary command and args values; these are executed on the host without validation, so a user (or a config surfaced by prompt injection) can specify a shell binary as the command value to gain command execution on the LiteLLM host.
LiteLLM 1.18.10 (root cause in the MCP SDK stdio transport, fixed from v1.83.6-nightly onward)
Upgrade to LiteLLM v1.83.7 or later (fix landed in commit 7b7f304 / PR #25343). See vendor advisory at docs.litellm.ai/blog/mcp-stdio-command-injection-april-2026.
LiteLLM Security AdvisoryNVD CVE-2026-30623
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →