{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3alitellmlitellm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-42271"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LiteLLM"],"_cs_severities":["high"],"_cs_tags":["command injection","rce","litellm","CVE-2026-42271"],"_cs_type":"advisory","_cs_vendors":["BerriAI"],"content_html":"\u003cp\u003eA command injection vulnerability, tracked as CVE-2026-42271, affects LiteLLM versions 1.74.2 up to, but not including, 1.83.7. The vulnerability resides in the MCP (Message Connector Protocol) stdio transport and can be exploited through the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints. An attacker with a valid API key can leverage this flaw to execute arbitrary operating system commands with root privileges within the Docker container, which is the default deployment. The availability of a public exploit on Sploitus significantly increases the risk to unpatched LiteLLM instances. A proof-of-concept exploit, along with mitigation steps, is documented in the advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid LiteLLM API key.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e or \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body specifies \u003ccode\u003e\u0026quot;transport\u0026quot;: \u0026quot;stdio\u0026quot;\u003c/code\u003e to enable the vulnerable transport.\u003c/li\u003e\n\u003cli\u003eThe request body includes a \u003ccode\u003e\u0026quot;command\u0026quot;\u003c/code\u003e field, set to a common shell executable such as \u003ccode\u003ebash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body includes an \u003ccode\u003e\u0026quot;args\u0026quot;\u003c/code\u003e array containing shell arguments crafted to execute arbitrary commands (e.g., \u003ccode\u003e\u0026quot;-c\u0026quot;, \u0026quot;id \u0026gt; /tmp/pwned\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe LiteLLM server spawns a subprocess using the provided command and arguments.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled command executes with root privileges inside the Docker container.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution, potentially leading to data exfiltration, reverse shell establishment, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected LiteLLM instance. In a default Docker deployment, this provides complete control over the container, leading to potential data exfiltration, deployment of malware, or further lateral movement within the network. The vulnerability impacts any LiteLLM instances running versions between 1.74.2 and 1.83.6 that have not applied the necessary patches or mitigations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to apply the command whitelist and role-based access control fixes (CVE-2026-42271).\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy rule to block access to the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eRotate API keys and restrict their privileges to minimize the impact of potential key compromise.\u003c/li\u003e\n\u003cli\u003eDeploy LiteLLM in a Docker container with a non-root user context (\u003ccode\u003edocker run --user 1000:1000 ...\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting these endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T02:01:38Z","date_published":"2026-05-20T02:01:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-litellm-cmd-injection/","summary":"A command injection vulnerability exists in LiteLLM versions 1.74.2 to \u003c 1.83.7, allowing authenticated users with a valid API key to execute arbitrary OS commands as root via the MCP stdio transport through the `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` endpoints, especially in default Docker deployments, and a public exploit is available.","title":"LiteLLM Authenticated Command Injection via MCP stdio Test Endpoints (CVE-2026-42271)","url":"https://feed.craftedsignal.io/briefs/2026-05-litellm-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}