What happened
CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 9, 2026, confirming active in-the-wild exploitation. The flaw resides in two MCP server preview endpoints in LiteLLM that accept full server configurations — including command, args, and env fields — and spawn the supplied command as a subprocess with no validation or sandboxing. Chained with CVE-2026-48710, a host-header parsing flaw in Starlette (the ASGI framework underpinning LiteLLM, vLLM, and many FastAPI-based AI tools), the authenticated requirement is bypassed entirely, yielding unauthenticated RCE. Horizon3.ai published a full working proof-of-concept. CISA characterized the pattern as 'sustained targeting of AI gateway infrastructure.'
Why it matters
LiteLLM is the central key-management and routing chokepoint for enterprise AI deployments. Compromise exposes every configured provider credential (OpenAI, Anthropic, Azure, AWS Bedrock, etc.), all prompt and response data (including PII, source code, and pasted secrets), and — critically — allows silent tampering of model responses in transit to downstream AI agents. A gateway-level compromise converts the attacker into the steering mechanism for every agent routed through it. CVE-2026-48710 also affects vLLM and any other ASGI app using path-based auth with Starlette ≤1.0.0, widening the blast radius significantly.
Attack vector
Attacker sends a crafted POST to /mcp-rest/test/connection or /mcp-rest/test/tools/list with a malicious stdio MCP server config (command/args/env fields). LiteLLM spawns the supplied command as a subprocess on the host with no sandbox. Chained with CVE-2026-48710 (Starlette 'BadHost' host-header bypass), authentication is skipped entirely — unauthenticated RCE from the network. Horizon3.ai published a working PoC demonstrating the full chain.
Affected systems
BerriAI LiteLLM 1.74.2 – 1.83.6; Starlette 0.8.3 – 1.0.0
Mitigation
Upgrade LiteLLM to ≥1.83.7 and Starlette to ≥1.0.1. Rotate all provider keys, master key, and database credentials if previously exposed. Restrict MCP test endpoints to PROXY_ADMIN role. CISA KEV federal deadline was June 22, 2026.