What happened
LiteLLM's MCP server creation functionality passes user-specified 'command' and 'args' fields from JSON configuration directly to a subprocess call without sanitization, root-caused in Anthropic's MCP SDK StdioServerParameters class, which LiteLLM (and over a dozen other AI platforms) inherited.
Why it matters
LiteLLM is one of the most widely deployed LLM gateway/proxy layers in production AI stacks; this flaw allows any party able to influence MCP server configuration (including via prompt injection in some deployments) to gain full remote code execution on the gateway host, exposing every proxied model API key and any connected internal service.
Attack vector
LiteLLM allows adding MCP servers via a JSON configuration that specifies arbitrary command and args values; these are executed on the host without validation, so a user (or a config surfaced by prompt injection) can specify a shell binary as the command value to gain command execution on the LiteLLM host.
Affected systems
LiteLLM 1.18.10 (root cause in the MCP SDK stdio transport, fixed from v1.83.6-nightly onward)
Mitigation
Upgrade to LiteLLM v1.83.7 or later (fix landed in commit 7b7f304 / PR #25343). See vendor advisory at docs.litellm.ai/blog/mcp-stdio-command-injection-april-2026.