LiteLLM Flaw Turns AI Gateway Into an Attack Gateway
CISA added LiteLLM CVE-2026-42271 to its Known Exploited Vulnerabilities catalogue after evidence of active exploitation. The flaw is a command injection vulnerability affecting LiteLLM versions 1.74.2 through before 1.83.7, allowing authenticated users to execute arbitrary commands on the host. Researchers also showed it could be chained with a Starlette host header validation bypass to achieve unauthenticated remote code execution. Successful exploitation could expose model credentials, API keys and connected AI infrastructure. Updating LiteLLM and Starlette is recommended.
AI infrastructure is moving quickly. Unfortunately, attackers appear to be keeping up just fine.
A command injection vulnerability in LiteLLM, tracked as CVE-2026-42271, is being actively exploited. LiteLLM is used as an AI gateway and proxy, helping organisations manage access to model providers and AI services. That makes it a very attractive target, because it may hold API keys, provider credentials and connections to downstream systems.
The flaw affects LiteLLM versions from 1.74.2 before 1.83.7. It allowed authenticated users to supply command-related values to test endpoints, causing the proxy host to execute commands with the privileges of the LiteLLM process.
That is already bad. Researchers then showed the issue could be chained with a Starlette host header validation bypass, potentially turning it into unauthenticated remote code execution. At that point, “AI gateway” starts sounding uncomfortably like “open front door”.
Organisations should update LiteLLM to 1.83.7 or later and Starlette to 1.0.1 or later. If patching cannot happen immediately, block the affected MCP REST test endpoints, restrict access to trusted networks, rotate stored credentials and review logs for unusual host headers or subprocess execution.
The message is clear: AI tooling needs the same disciplined patching, segmentation and monitoring as every other production system.