Vulnerability-Lookup

CVE-2026-42271 (GCVE-0-2026-42271)

Vulnerability from cvelistv5 – Published: 2026-05-08 03:35 – Updated: 2026-06-09 03:55

CISA KEV KEVintel KEV

Title

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Summary

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/BerriAI/litellm/security/advis…	x_refsource_CONFIRM
https://github.com/BerriAI/litellm/releases/tag/v…	x_refsource_MISC
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

1 product

Vendor	Product	Version
BerriAI	litellm	Affected: >= 1.74.2, < 1.83.7

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: fc2749e6-b097-4d27-bc2f-6df29375da7f

Vulnerability ID: CVE-2026-42271

Status: Confirmed

Status Updated: 2026-06-08 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2026-06-08

Asserted: 2026-06-08

Scope

Notes: KEV entry: BerriAI LiteLLM Command Injection Vulnerability | Affected: BerriAI / LiteLLM | Description: BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-06-22 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g ; https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable ; https://nvd.nist.gov/vuln/detail/CVE-2026-42271

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-78 CWE-77
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	LiteLLM
Due Date	2026-06-22
Date Added	2026-06-08
Vendorproject	BerriAI
Vulnerabilityname	BerriAI LiteLLM Command Injection Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2026-42271

Created: 2026-06-08 18:00 UTC | Updated: 2026-06-08 18:00 UTC

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 2dffeba4-d318-4ca1-82b1-e5c5157901a4

Vulnerability ID: CVE-2026-42271

Status: Confirmed

Status Updated: 2026-06-08 18:00 UTC

Exploited: Yes

Timestamps

First Seen: 2026-06-08

Asserted: 2026-06-08

Scope

Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	LiteLLM: Authenticated command execution via MCP stdio test endpoints
Vendor	BerriAI
Product	litellm
Added Date	2026-06-08T18:00:45.030Z
Cvss Score	8.7
Epss Score	0.53701
Cvss Severity	HIGH
Epss Percentile	0.98862
Used In Malware	unknown
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	False

References

Created: 2026-06-19 12:45 UTC | Updated: 2026-06-19 12:45 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42271",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-06-08",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T03:55:26.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-08T00:00:00.000Z",
            "value": "CVE-2026-42271 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.74.2, \u003c 1.83.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T03:35:16.758Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
        },
        {
          "name": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
        }
      ],
      "source": {
        "advisory": "GHSA-v4p8-mg3p-g94g",
        "discovery": "UNKNOWN"
      },
      "title": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42271",
    "datePublished": "2026-05-08T03:35:16.758Z",
    "dateReserved": "2026-04-26T11:53:27.707Z",
    "dateUpdated": "2026-06-09T03:55:26.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2026-42271",
      "cwes": "[\"CWE-78\", \"CWE-77\"]",
      "dateAdded": "2026-06-08",
      "dueDate": "2026-06-22",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g ; https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable ; https://nvd.nist.gov/vuln/detail/CVE-2026-42271",
      "product": "LiteLLM",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.",
      "vendorProject": "BerriAI",
      "vulnerabilityName": "BerriAI LiteLLM Command Injection Vulnerability"
    },
    "epss": {
      "cve": "CVE-2026-42271",
      "date": "2026-06-20",
      "epss": "0.53701",
      "percentile": "0.98861"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42271\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T04:16:21.820\",\"lastModified\":\"2026-06-09T01:22:09.190\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-06-08\",\"cisaActionDue\":\"2026-06-22\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"BerriAI LiteLLM Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.74.2\",\"versionEndExcluding\":\"1.83.7\",\"matchCriteriaId\":\"D249DFDB-5D0D-4053-A997-0900F77F9A13\"}]}]}],\"references\":[{\"url\":\"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42271\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-08T17:47:03.864516Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-06-08\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T14:31:02.765Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-06-08T00:00:00.000Z\", \"value\": \"CVE-2026-42271 added to CISA KEV\"}]}], \"cna\": {\"title\": \"LiteLLM: Authenticated command execution via MCP stdio test endpoints\", \"source\": {\"advisory\": \"GHSA-v4p8-mg3p-g94g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"BerriAI\", \"product\": \"litellm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.74.2, \u003c 1.83.7\"}]}], \"references\": [{\"url\": \"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\", \"name\": \"https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\", \"name\": \"https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \\u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \\u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \\u2014 including holders of low-privilege internal-user keys \\u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T03:35:16.758Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42271\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T19:58:23.479Z\", \"dateReserved\": \"2026-04-26T11:53:27.707Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T03:35:16.758Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42271

Vulnerability from fkie_nvd - Published: 2026-05-08 04:16 - Updated: 2026-06-17 10:47

CISA KEV KEVintel KEV

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable	Product, Release Notes
security-advisories@github.com	https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g	Mitigation, Patch, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271	US Government Resource

Impacted products

	Vendor	Product	Version
	litellm	litellm	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.74.2, \u003c 1.83.7"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "cisaActionDue": "2026-06-22",
  "cisaExploitAdd": "2026-06-08",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "BerriAI LiteLLM Command Injection Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D249DFDB-5D0D-4053-A997-0900F77F9A13",
              "versionEndExcluding": "1.83.7",
              "versionStartIncluding": "1.74.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it \u2014 POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list \u2014 accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7."
    }
  ],
  "id": "CVE-2026-42271",
  "lastModified": "2026-06-17T10:47:36.560",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-42271",
          "options": [
            {
              "exploitation": "active"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-05-08T00:00:00+00:00",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-05-08T04:16:21.820",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        },
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-V4P8-MG3P-G94G

Vulnerability from github – Published: 2026-04-25 23:27 – Updated: 2026-06-09 13:07

Summary

LiteLLM: Authenticated command execution via MCP stdio test endpoints

Details

Impact

Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.

The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.

Patches

Fixed in 1.83.7. Both test endpoints now require the PROXY_ADMIN role, bringing them into line with the save endpoint.

Workarounds

If upgrading is not immediately possible, developers should block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at their reverse proxy or API gateway.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.74.2"
            },
            {
              "fixed": "1.83.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:27:54Z",
    "nvd_published_at": "2026-05-08T04:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nTwo endpoints used to preview an MCP server before saving it \u2014 `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` \u2014 accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.\n\nThe endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user \u2014 including holders of low-privilege internal-user keys \u2014 could therefore run arbitrary commands on the host.\n\n### Patches\n\nFixed in **`1.83.7`**. Both test endpoints now require the `PROXY_ADMIN` role, bringing them into line with the save endpoint.\n\n### Workarounds\n\nIf upgrading is not immediately possible, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway.",
  "id": "GHSA-v4p8-mg3p-g94g",
  "modified": "2026-06-09T13:07:06Z",
  "published": "2026-04-25T23:27:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42271"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BerriAI/litellm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LiteLLM: Authenticated command execution via MCP stdio test endpoints"
}

NCSC-2026-0137

Vulnerability from csaf_ncscnl - Published: 2026-05-11 06:38 - Updated: 2026-05-11 06:38

Summary

Kwetsbaarheden verholpen in LiteLLM door BerriAI

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: BerriAI heeft kwetsbaarheden verholpen in LiteLLM, specifiek in versies 1.74.2 tot en met 1.83.6.

Interpretaties: LiteLLM is een veelgebruikte proxy om op gecentraliseerde wijze API's naar een groot aantal LLM systemen te beheren. De eerste kwetsbaarheid betreft een SQL-injectie in het proxy API key verificatiemechanisme, waardoor niet-geauthenticeerde aanvallers SQL-injectieaanvallen kunnen uitvoeren om proxy databasegegevens te lezen en te wijzigen. Dit kan leiden tot het compromitteren van credentials en verdere ongeautoriseerde toegang tot het systeem. De tweede kwetsbaarheid betreft twee preview endpoints in de MCP server feature die volledige serverconfiguraties accepteren. Elke geauthenticeerde gebruiker met een geldige proxy API key kan hiermee willekeurige commando's uitvoeren op de proxy host, zonder dat hiervoor administratieve rechten vereist zijn. Deze kwetsbaarheid maakt ongeautoriseerde command execution mogelijk.

Oplossingen: BerriAI heeft versie 1.83.7 van LiteLLM uitgebracht waarin beide kwetsbaarheden zijn verholpen. De SQL-injectie is opgelost en de toegang tot de preview endpoints is beperkt tot gebruikers met de PROXY_ADMIN rol. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2026-42208

LiteLLM versions prior to 1.83.7 contain a critical SQL injection vulnerability in proxy API key verification that allows unauthenticated attackers to read and modify database data, risking unauthorized access and credential compromise.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* BerriAI / LiteLLM		vers:unknown/*

CVE-2026-42271

LiteLLM versions 1.74.2 to before 1.83.7 had two preview endpoints allowing authenticated users with a proxy API key to execute arbitrary commands on the host, fixed by requiring the PROXY_ADMIN role in version 1.83.7.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
vers:unknown/* BerriAI / LiteLLM		vers:unknown/*

References

4 references

URL	Category
https://github.com/BerriAI/litellm/security/advis…	external
https://github.com/BerriAI/litellm/security/advis…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "BerriAI heeft kwetsbaarheden verholpen in LiteLLM, specifiek in versies 1.74.2 tot en met 1.83.6.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "LiteLLM is een veelgebruikte proxy om op gecentraliseerde wijze API\u0027s naar een groot aantal LLM systemen te beheren.\n\nDe eerste kwetsbaarheid betreft een SQL-injectie in het proxy API key verificatiemechanisme, waardoor niet-geauthenticeerde aanvallers SQL-injectieaanvallen kunnen uitvoeren om proxy databasegegevens te lezen en te wijzigen. Dit kan leiden tot het compromitteren van credentials en verdere ongeautoriseerde toegang tot het systeem. De tweede kwetsbaarheid betreft twee preview endpoints in de MCP server feature die volledige serverconfiguraties accepteren. Elke geauthenticeerde gebruiker met een geldige proxy API key kan hiermee willekeurige commando\u0027s uitvoeren op de proxy host, zonder dat hiervoor administratieve rechten vereist zijn. Deze kwetsbaarheid maakt ongeautoriseerde command execution mogelijk.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "BerriAI heeft versie 1.83.7 van LiteLLM uitgebracht waarin beide kwetsbaarheden zijn verholpen. De SQL-injectie is opgelost en de toegang tot de preview endpoints is beperkt tot gebruikers met de PROXY_ADMIN rol. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
        "title": "CWE-77"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
        "title": "CWE-78"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
        "title": "CWE-89"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
      }
    ],
    "title": "Kwetsbaarheden verholpen in LiteLLM door BerriAI",
    "tracking": {
      "current_release_date": "2026-05-11T06:38:59.274837Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0137",
      "initial_release_date": "2026-05-11T06:38:59.274837Z",
      "revision_history": [
        {
          "date": "2026-05-11T06:38:59.274837Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "LiteLLM"
          }
        ],
        "category": "vendor",
        "name": "BerriAI"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42208",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "title": "CWE-89"
        },
        {
          "category": "description",
          "text": "LiteLLM versions prior to 1.83.7 contain a critical SQL injection vulnerability in proxy API key verification that allows unauthenticated attackers to read and modify database data, risking unauthorized access and credential compromise.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-42208 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42208.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-42208"
    },
    {
      "cve": "CVE-2026-42271",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "title": "CWE-78"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
          "title": "CWE-77"
        },
        {
          "category": "description",
          "text": "LiteLLM versions 1.74.2 to before 1.83.7 had two preview endpoints allowing authenticated users with a proxy API key to execute arbitrary commands on the host, fixed by requiring the PROXY_ADMIN role in version 1.83.7.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-42271 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42271.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-42271"
    }
  ]
}

WID-SEC-W-2026-1288

Vulnerability from csaf_certbund - Published: 2026-04-27 22:00 - Updated: 2026-06-08 22:00

Summary

LiteLLM: Mehrere Schwachstellen

Severity

Kritisch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: LiteLLM ist ein Gateway, das eine einheitliche Schnittstelle für verschiedene Large Language Models (LLMs) bietet.

Angriff: Ein Angreifer kann mehrere Schwachstellen in LiteLLM ausnutzen, um einen SQL-Injection-Angriff durchzuführen und sich unbefugten Zugriff zu verschaffen oder um beliebigen Programmcode mit den Rechten des Dienstes auszuführen

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-42208

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source LiteLLM <1.83.7 Open Source / LiteLLM		<1.83.7

CVE-2026-42271

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source LiteLLM >=1.81.16 Open Source / LiteLLM		>=1.81.16
Open Source LiteLLM <1.83.7 Open Source / LiteLLM		<1.83.7

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/BerriAI/litellm/security/advis…	external
https://webflow.sysdig.com/blog/cve-2026-42208-ta…	external
https://github.com/BerriAI/litellm/security/advis…	external
https://www.cisa.gov/news-events/alerts/2026/06/0…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "LiteLLM ist ein Gateway, das eine einheitliche Schnittstelle f\u00fcr verschiedene Large Language Models (LLMs) bietet.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in LiteLLM ausnutzen, um einen SQL-Injection-Angriff durchzuf\u00fchren und sich unbefugten Zugriff zu verschaffen oder um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1288 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1288.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1288 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1288"
      },
      {
        "category": "external",
        "summary": "GitHub Vulnerability Database vom 2026-04-27",
        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc"
      },
      {
        "category": "external",
        "summary": "Sysdig Blog vom 2026-04-27",
        "url": "https://webflow.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure"
      },
      {
        "category": "external",
        "summary": "GitHub Vulnerability Database vom 2026-04-27",
        "url": "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
      },
      {
        "category": "external",
        "summary": "Exploit CVE-2026-42271 vom 2026-06-08",
        "url": "https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog"
      }
    ],
    "source_lang": "en-US",
    "title": "LiteLLM: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-08T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-09T11:10:58.406+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1288",
      "initial_release_date": "2026-04-27T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-27T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-28503, EUVD-2026-28507"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "3",
          "summary": "CVE-2026-42271 Exploit"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003e=1.81.16",
                "product": {
                  "name": "Open Source LiteLLM \u003e=1.81.16",
                  "product_id": "T053363"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e=1.81.16",
                "product": {
                  "name": "Open Source LiteLLM \u003e=1.81.16",
                  "product_id": "T053363-fixed"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.83.7",
                "product": {
                  "name": "Open Source LiteLLM \u003c1.83.7",
                  "product_id": "T053364"
                }
              },
              {
                "category": "product_version",
                "name": "1.83.7",
                "product": {
                  "name": "Open Source LiteLLM 1.83.7",
                  "product_id": "T053364-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:litellm:litellm:1.83.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e=1.74.2",
                "product": {
                  "name": "Open Source LiteLLM \u003e=1.74.2",
                  "product_id": "T053371"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e=1.74.2",
                "product": {
                  "name": "Open Source LiteLLM \u003e=1.74.2",
                  "product_id": "T053371-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "LiteLLM"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42208",
      "product_status": {
        "known_affected": [
          "T053364"
        ]
      },
      "release_date": "2026-04-27T22:00:00.000+00:00",
      "title": "CVE-2026-42208"
    },
    {
      "cve": "CVE-2026-42271",
      "product_status": {
        "known_affected": [
          "T053363",
          "T053364"
        ]
      },
      "release_date": "2026-04-27T22:00:00.000+00:00",
      "title": "CVE-2026-42271"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42271 (GCVE-0-2026-42271)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Successful Exploitation Confidence: 70% Source: kevintel

Details

References

FKIE_CVE-2026-42271

GHSA-V4P8-MG3P-G94G

Impact

Patches

Workarounds

NCSC-2026-0137

WID-SEC-W-2026-1288

Tags

Sightings

Nomenclature