Hackers Exploit LiteLLM RCE Vulnerability to Exploiting Wild

Threat actors are actively exploiting a critical chained vulnerability within LiteLLM, a widely used open-source AI gateway proxy. The exploit enables unauthenticated remote code execution (RCE) on vulnerable deployments. Security researchers at Horizon3.ai confirmed this critical attack path, noting it stems from the combination of two separate CVEs. This chain results in a CVSS 10.0 Critical vulnerability, requiring zero credentials for successful exploitation.

At the core of this threat is CVE-2026-42271, a command injection flaw in LiteLLM’s Model Context Protocol (MCP) server test endpoints. Specifically, the following endpoints accept full server configurations including commands, arguments, and environment variables — and spawn the supplied input as a subprocess on the host:

• POST /mcp-rest/test/connection
• POST /mcp-rest/test/tools/list

When initially disclosed on April 20, 2026, the flaw was considered limited in impact because access required a valid proxy API key. That assumption was dismantled when Horizon3.ai researchers chained it with CVE-2026-48710, a Starlette “BadHost” Host Header validation bypass affecting Starlette versions 1.0.0 and earlier.

By manipulating the HTTP Host header to exploit the Starlette authentication bypass, attackers can sidestep LiteLLM’s API key requirement entirely. The result is that unauthenticated remote code execution commands execute with the same privileges as the LiteLLM proxy process, with no login or API key required.

Affected versions span LiteLLM 1.74.2 through 1.83.6 on deployments whose dependency tree includes Starlette ≤ 1.0.0.

LiteLLM RCE Vulnerability Exploited

Successful exploitation of this chained vulnerability gives attackers significant reach into AI infrastructure. Once code execution is achieved, threat actors can:

• Execute arbitrary OS commands on the LiteLLM host
• Steal API keys and model provider credentials stored by the proxy
• Access secrets and environment variables in the proxy process
• Move laterally into connected AI infrastructure and downstream systems

Given that LiteLLM is widely used to route and manage API calls to large language models (LLMs) from providers like OpenAI, Anthropic, and Azure, a compromise of the gateway layer can cascade into broader AI supply chain exposure.

Indicators of Compromise

Security teams should monitor for the following signs of exploitation activity:

• Unexpected subprocess execution originating from the LiteLLM process
• HTTP requests targeting /mcp-rest/test/connection or /mcp-rest/test/tools/list
• Unusual or malformed Host header values in proxy logs
• Unauthorized command execution events on the host system

Organizations should immediately upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is updated to version 1.0.1 or later. If patching cannot be applied immediately, defenders should:

• Block external access to the MCP test endpoints
• Restrict proxy network access to trusted segments only
• Rotate all credentials and API keys stored by the proxy
• Review logs for anomalous Host header values and subprocess events

Given active in-the-wild exploitation, patching should be treated as an emergency priority for any organization running a self-hosted LiteLLM deployment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.