Command Injection in BerriAI LiteLLM MCP preview endpoints
CVE-2026-42271 affects BerriAI LiteLLM from version 1.74.2 up to, but not including, 1.83.7. The vulnerability is present in the MCP server preview endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints accepted a full MCP server configuration in the request body, including stdio transport fields such as command, args, and env. When a request supplied a stdio configuration, LiteLLM attempted to connect to the specified MCP server by spawning the provided command as a subprocess on the proxy host. Because access control on these endpoints required only a valid proxy API key and did not enforce a role check, any authenticated user, including holders of low-privilege internal-user keys, could cause arbitrary commands to be executed on the host with the privileges of the LiteLLM proxy process.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a standalone Python proof-of-concept exploit for CVE-2026-42271, an authenticated OS command injection vulnerability in BerriAI LiteLLM MCP stdio test endpoints. The repo contains 8 files: documentation in README.md and docs/advisory.md, a reproducible vulnerable lab in docker-compose.yml, the exploit implementation in exploit/exploit.py, payload helpers in exploit/payload.py, a minimal requirements.txt, and a screenshots placeholder directory. The main exploit logic is in exploit/exploit.py. It uses requests to send authenticated POST requests to either /mcp-rest/test/tools/list or /mcp-rest/test/connection on a target LiteLLM instance. The script builds a JSON body with transport="stdio" and attacker-controlled command/args values, relying on the vulnerable server behavior of spawning the supplied command as a subprocess. The exploit supports selecting the endpoint, setting a target URL and API key, routing through an HTTP proxy, adjusting timeout, and running in an interactive blind-shell mode where each entered command is sent as a new exploit request. The helper module exploit/payload.py generates reusable payloads. It includes functions for generic payload creation, arbitrary shell command execution via bash -c, reverse shell generation, environment extraction by reading /proc/1/environ, and file-read payloads that redirect sensitive file contents into writable target-side files. The code explicitly notes that MCP SDK environment isolation prevents simple env dumping from revealing parent process secrets, so it instead targets /proc/1/environ to recover values such as LITELLM_MASTER_KEY. The exploit’s capabilities are substantial: authenticated remote code execution, blind interactive command execution, reverse shell payload generation, reading sensitive files, and extracting process environment variables. The README and code indicate that any valid API key is sufficient because the vulnerable endpoints lack proper role checks; in the default Docker deployment, the LiteLLM process runs as root, so successful exploitation yields root-level command execution inside the container. The docker-compose.yml file provides a reproducible environment with a pinned vulnerable LiteLLM v1.82.6 image on port 4000 and an optional fixed v1.83.7 image on port 4001. This confirms the repository’s purpose is both demonstration and reproducible exploitation of the vulnerability rather than mere detection. Overall, this is a real operational PoC exploit for authenticated web/network-based RCE against vulnerable LiteLLM deployments.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.