s1
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

CVE-2026-42271

📛 CVE Title

LiteLLM: Authenticated command execution via MCP stdio test endpoints

⬇ Download JSON ⚠ View as Threat

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Overview

State
PUBLISHED
Assigner (CNA)
GitHub_M
CVSS severity
HIGH
CVSS score
CVSS 8.7 / 10 8.7 8.7 / 10
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
Effective score
8.7 / 10 HIGH source: CNA overview
CWE(s)
CWE-77, CWE-78
Reserved
2026-04-26
Published
2026-05-08 05:35 UTC
Last updated
2026-05-09 05:55 UTC
Source
https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/42xxx/CVE-2026-42271.json
Linked Threat
CVE-2026-42271 — BerriAI LiteLLM: BerriAI LiteLLM Command Injection Vulnerability

NVD triage scoring NVD CVE 2.0

Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.

NVD published
2026-05-08 04:16:21 UTC
NVD last modified
2026-05-08 20:04:50 UTC
NVD CVSS v3.1
CVSS 8.8 / 10 8.8 8.8 / 10 HIGH source: nvd@nist.gov
NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability subscore
2.8 / 10
Impact subscore
5.9 / 10
EPSS score
0.0002 (probability of exploitation in next 30 days)
EPSS percentile
6.22% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24

NVD / KEV / EPSS data refreshed 2026-05-25 09:35 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.

European Union Vulnerability Database ENISA EUVD

ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.

EUVD ID
EUVD-2026-28507
Assigner
GitHub_M
Published
May 8, 2026, 3:35:16 AM
Updated
May 9, 2026, 3:55:48 AM
EUVD base score (CVSS 4.0)
8.7 / 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
EUVD-reported EPSS
0.0200
Vendors
berriai
Products
LiteLLM (1.74.2, < 1.83.7)
LiteLLM (1.74.2, < 1.83.7)
Aliases
GHSA-v4p8-mg3p-g94g

ENISA description: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

EUVD references (2)

Affected products (1)
VendorProductVersionsPlatforms
BerriAI litellm >= 1.74.2, < 1.83.7 (affected)

Affected products — CPE 2.3 (1) NVD

NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.

  • cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*

Remediations (11)

Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.

  • CISA Required Action
    CISA KEV

    Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-22 Known ransomware campaign use: Unknown

    2026-06-09 02:31 UTC
  • Microsoft Patch Tuesday March 2026 - 78 Vulnerabilities Fixed ...
    web:cybersecuritynews.com

    Microsoft released its March 2026 Patch Tuesday security update on March 10, 2026 , addressing 78 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET. The update includes one actively exploited zero-day vulnerability and multiple Critical-rated flaws demanding immediate attention from security teams. The most urgent fix this month is CVE - 2026 -21262, the sole zero-day ...

    2026-05-22 17:14 UTC
  • Security Update Guide - Microsoft
    web:portal.msrc.microsoft.com

    The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.

    2026-05-22 17:14 UTC
  • Landing Page | ServiceNow Common Vulnerabilities & Exposures (CVE ...
    web:support.servicenow.com

    Overview The advisories below document publicly disclosed Common Vulnerabilities and Exposures ( CVEs ) in the Now Platform by ServiceNow. Because ServiceNow uses various methods to communicate vulnerability information, patches, and other fixes, customers should review family, security patch , and hotfix release notes, which are available at https://docs.servicenow.com, for a complete list of ...

    2026-05-22 17:14 UTC
  • Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days
    web:www.bleepingcomputer.com

    Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities.

    2026-05-22 17:14 UTC
  • April 2026 Patch Tuesday: Updates and Analysis | CrowdStrike
    web:www.crowdstrike.com

    Microsoft's April 2026 Patch Tuesday addresses 164 CVEs , featuring 8 Critical vulnerabilities, one exploited zero-day, and one disclosed zero-day.

    2026-05-22 17:14 UTC
  • Oracle Critical Patch Update Advisory - April 2026
    web:www.oracle.com

    This Critical Patch Update contains 481 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2026 Critical Patch Update: Executive Summary and Analysis.

    2026-05-22 17:14 UTC
  • Microsoft's March 2026 update fixes 80+ security vulnerabilities
    web:www.pcworld.com

    This month's Patch Tuesday brings over 80 fixes for various security vulnerabilities. Fortunately, none are actively being exploited in the wild yet.

    2026-05-22 17:14 UTC
  • Windows 11 April 2026 Update tested: What's new, improved and fixed
    web:www.windowslatest.com

    Windows 11 April 2026 update adds Narrator Copilot support, faster Settings, File Explorer fixes, and key security improvements.

    2026-05-22 17:14 UTC
  • Microsoft and Adobe Patch Tuesday, April 2026 Security Update Review
    web:blog.qualys.com

    With Qualys Policy Audit's out-of-the-box mitigation or Compensatory Controls, which reduce the risk of a vulnerability being exploited because the remediation ( fix / patch ) cannot be done immediately, these security controls are not recommended by any industry standards, such as CIS and DISA-STIG.

    2026-05-22 17:14 UTC
  • Patch Tuesday May 2026: Security Updates & CVE Analysis
    web:zecurit.com

    Get the complete breakdown of Microsoft's May 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .

    2026-05-22 17:14 UTC

Vendor references (2)

References embedded in the original CVE record by the assigning CNA.

MITRE references (2) cveawg.mitre.org

Pulled from MITRE's CVE Services API by the 🛰 Backfill from MITRE button.

Web references (3)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.

NVD-tagged references (2)

Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.

Indicators (3)

IOCs linked to the auto-promoted Threat row.

TypeValueVirusTotalAttached
cwe CWE-77 no local data 2026-06-09 03:07 UTC
cwe CWE-78 no local data 2026-06-09 03:07 UTC
cve CVE-2026-42271 no local data 2026-06-09 02:31 UTC

Flagged vendors

    AI Forensic Analysis

    Only Available for Registered Users. Sign in to view.

    Raw JSON

    The full cvelistV5 record. Download as CVE-2026-42271.json.

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42271",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-09T03:55:48.638Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": ">= 1.74.2, < 1.83.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T03:35:16.758Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
        },
        {
          "name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
        }
      ],
      "source": {
        "advisory": "GHSA-v4p8-mg3p-g94g",
        "discovery": "UNKNOWN"
      },
      "title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42271",
    "datePublished": "2026-05-08T03:35:16.758Z",
    "dateReserved": "2026-04-26T11:53:27.707Z",
    "dateUpdated": "2026-05-09T03:55:48.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}