BerriAI — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/berriai/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 20 May 2026 02:01:38 +0000LiteLLM Authenticated Command Injection via MCP stdio Test Endpoints (CVE-2026-42271)https://feed.craftedsignal.io/briefs/2026-05-litellm-cmd-injection/Wed, 20 May 2026 02:01:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-litellm-cmd-injection/A command injection vulnerability exists in LiteLLM versions 1.74.2 to < 1.83.7, allowing authenticated users with a valid API key to execute arbitrary OS commands as root via the MCP stdio transport through the `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` endpoints, especially in default Docker deployments, and a public exploit is available.A command injection vulnerability, tracked as CVE-2026-42271, affects LiteLLM versions 1.74.2 up to, but not including, 1.83.7. The vulnerability resides in the MCP (Message Connector Protocol) stdio transport and can be exploited through the /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints. An attacker with a valid API key can leverage this flaw to execute arbitrary operating system commands with root privileges within the Docker container, which is the default deployment. The availability of a public exploit on Sploitus significantly increases the risk to unpatched LiteLLM instances. A proof-of-concept exploit, along with mitigation steps, is documented in the advisory.

Attack Chain

  1. An attacker obtains a valid LiteLLM API key.
  2. The attacker sends a POST request to /mcp-rest/test/connection or /mcp-rest/test/tools/list.
  3. The request body specifies "transport": "stdio" to enable the vulnerable transport.
  4. The request body includes a "command" field, set to a common shell executable such as bash.
  5. The request body includes an "args" array containing shell arguments crafted to execute arbitrary commands (e.g., "-c", "id > /tmp/pwned").
  6. The LiteLLM server spawns a subprocess using the provided command and arguments.
  7. The attacker-controlled command executes with root privileges inside the Docker container.
  8. The attacker achieves arbitrary command execution, potentially leading to data exfiltration, reverse shell establishment, or persistence.

Impact

Successful exploitation of this command injection vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected LiteLLM instance. In a default Docker deployment, this provides complete control over the container, leading to potential data exfiltration, deployment of malware, or further lateral movement within the network. The vulnerability impacts any LiteLLM instances running versions between 1.74.2 and 1.83.6 that have not applied the necessary patches or mitigations.

Recommendation

  • Upgrade LiteLLM to version 1.83.7 or later to apply the command whitelist and role-based access control fixes (CVE-2026-42271).
  • Implement a reverse proxy rule to block access to the /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints.
  • Rotate API keys and restrict their privileges to minimize the impact of potential key compromise.
  • Deploy LiteLLM in a Docker container with a non-root user context (docker run --user 1000:1000 ...).
  • Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting these endpoints.
]]>highadvisorycommand injectionrcelitellmCVE-2026-42271