
Actively Exploited LiteLLM Flaw Exposes Enterprise AI Gateways to Full Takeover
CISA has added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog — chained with a Starlette bypass, it yields unauthenticated remote code execution and API key theft.
A critical vulnerability in LiteLLM — the open-source gateway that thousands of enterprises use to route traffic to OpenAI, Anthropic and other model providers — is under active exploitation, and CISA has added it to the Known Exploited Vulnerabilities catalog with a near-term patching deadline for federal agencies.
The flaw: CVE-2026-42271 (CVSS 8.7) is a command injection affecting LiteLLM versions 1.74.2 up to (but not including) 1.83.7. Two MCP test endpoints accepted full server configurations in the request body — including the command, args and env fields used by the stdio transport — letting any authenticated user run arbitrary commands on the host.
The escalation: Researchers at Horizon3.ai chained the bug with CVE-2026-48710, a "BadHost" header validation bypass in the Starlette framework, to sidestep authentication entirely — turning it into unauthenticated remote code execution with no credentials required.
The blast radius: A compromised LiteLLM proxy is a skeleton key to an organization's AI stack: attackers can siphon provider API keys and stored secrets, move laterally into connected AI infrastructure, and compromise downstream systems integrated with the gateway.
The fix: Upgrade to LiteLLM 1.83.7, which restricts the vulnerable MCP test endpoints to the PROXY_ADMIN role, and update Starlette to 1.0.1 where applicable.
The incident is a reminder that the AI boom has created a new class of high-value infrastructure — and that the gateways aggregating every model credential in the enterprise are exactly where attackers are now looking.
Newsletter
Get Lanceum in your inbox
Weekly insights on AI and technology in Asia.


