CVE-2026-42271
LiteLLM: Authenticated command execution via MCP stdio test endpoints
In short
LiteLLM proxy server had two test endpoints that allowed authenticated users to execute arbitrary commands on the host by providing a malicious command in the MCP server configuration. Any user with a valid API key, even with low privileges, could exploit this to run code with the proxy's privileges.
Technical detail
CWE-77/CWE-78 command injection vulnerability in POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list endpoints (versions 1.74.2–1.83.6). Attackers with valid proxy API keys could supply arbitrary commands in the stdio transport configuration (command, args, env fields), which were executed as subprocesses without role-based access control, leading to unauthenticated code execution on the proxy host.
Summary generated and translated by AI from the official description.
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.