Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

Authenticated RCE in LiteLLM MCP server creation

IdentifiersCVE-2026-30623CWE-78

LiteLLM contains an authenticated remote command execution vulnerability in its MCP server creation functionality. According to the provided context, low-privilege internal-user keys could reach a command-execution path that allowed attacker-controlled command and argument values to be executed on the host through MCP stdio server creation. The issue is described as stemming from insufficient authorization around an administrator-only capability and unsafe execution of user-supplied MCP stdio configuration. The vulnerable behavior allowed non-admin users to access functionality that should have been restricted to privileged administrators, ultimately reaching host-level command execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege user to execute arbitrary operating system commands on the LiteLLM host in the security context of the LiteLLM process. This can lead to full server compromise, theft of API keys and other secrets handled by LiteLLM, modification of service configuration, persistence, and potential lateral movement into connected internal or cloud resources.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to MCP stdio server creation and related administrative functionality to trusted administrators only. Remove or disable MCP stdio functionality if it is not required, and avoid allowing low-privilege users to supply command or argument values that will be executed on the host. Monitor for suspicious MCP server creation events and unexpected child-process execution from the LiteLLM service account. Where possible, run LiteLLM with least privilege and isolate it from sensitive host resources.

Remediation

Patch, then assume compromise.

Apply the vendor patch for CVE-2026-30623. The provided context states that LiteLLM fixed the issue by requiring the PROXY_ADMIN role for the affected MCP server creation path. Administrators should upgrade to a patched LiteLLM release that enforces this authorization boundary and review whether any untrusted or low-privilege users were previously able to create or modify MCP stdio server configurations.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
starlabs sgNews
May 29, 2026
Race Against The Patch: The Evolution of Four Exploit Chains in LiteLLM | STAR Labs

Referenced as another LiteLLM-related report during the same period, but no technical details are provided in the content.

Read more
obsidian security blogNews
May 28, 2026
1-Click RCE in Flowise (CVE-2026-40933): When Is stdio MCP Actually a Vulnerability?

A LiteLLM vulnerability where low-privilege internal-user keys could access a command-execution path, later restricted to the PROXY_ADMIN role.

Read more
toms hardwareNews
Apr 22, 2026
Anthropic's Model Context Protocol includes a critical remote code execution vulnerability - newly discovered exploit puts 200,000 AI servers at risk | Tom's Hardware

A high- or critical-severity vulnerability identified by OX Security in LiteLLM as part of MCP-related exploitation paths stemming from unsafe command execution/design issues in the MCP ecosystem.

Read more
the hacker newsNews
Apr 20, 2026
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

A vulnerability in LiteLLM related to unsafe MCP STDIO configuration that can lead to command execution; the article states it is patched.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-30623
NVD
nvd.nist.gov/vuln/detail/CVE-2026-30623
MITRE CWE · CWE-78
cwe.mitre.org