CVE-2026-42271 is a command injection vulnerability in BerriAI LiteLLM affecting versions 1.74.2 through 1.83.6. The issue is in the MCP server preview/test endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, which accepted a full MCP server configuration in the request body, including command, args, and env fields for the stdio transport. When a stdio configuration was supplied, LiteLLM attempted to connect by spawning the attacker-supplied command as a subprocess on the proxy host. The endpoints were protected only by possession of a valid proxy API key and did not enforce the intended PROXY_ADMIN role check, so any authenticated user, including low-privilege internal-user key holders, could trigger arbitrary command execution with the privileges of the LiteLLM proxy process.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a small standalone Python proof-of-concept exploit for CVE-2026-42271 affecting BerriAI LiteLLM AI Gateway versions 1.74.2 through 1.83.6. The repo contains three files: a minimal .gitignore, a README describing the vulnerability and usage, and the main exploit implementation in exploit.py. The exploit targets two authenticated HTTP POST endpoints exposed by LiteLLM's MCP testing functionality: /mcp-rest/test/connection and /mcp-rest/test/tools/list. Its core capability is authenticated remote code execution by sending attacker-controlled MCP configuration data that populates command, args, and env fields. The script builds multiple payload variants to improve reliability across deployments: a shell-based variant using sh -c or cmd.exe /c, a Python-based variant using python3 -c with os.system(), and an additional variant that attempts to capture command output into temporary files. It also tries several possible JSON wrapper keys (mcp_config, config, mcp_server_config, server_config, or direct payload) to match differing server-side request schemas. Operationally, the script accepts a target URL, API key, command to run, endpoint selection, and SSL verification options. It iterates through both vulnerable endpoints and each payload variant, sends POST requests with Bearer authentication, and reports HTTP/JSON responses. The exploit is not merely a detector; it is intended to trigger actual command execution on the host. Because the payload is hardcoded/basic rather than modularized into a larger framework, the maturity is best classified as OPERATIONAL.
This repository is a standalone Python proof-of-concept exploit for CVE-2026-42271, an authenticated OS command injection vulnerability in BerriAI LiteLLM MCP stdio test endpoints. The repo contains 8 files: documentation in README.md and docs/advisory.md, a reproducible vulnerable lab in docker-compose.yml, the exploit implementation in exploit/exploit.py, payload helpers in exploit/payload.py, a minimal requirements.txt, and a screenshots placeholder directory. The main exploit logic is in exploit/exploit.py. It uses requests to send authenticated POST requests to either /mcp-rest/test/tools/list or /mcp-rest/test/connection on a target LiteLLM instance. The script builds a JSON body with transport="stdio" and attacker-controlled command/args values, relying on the vulnerable server behavior of spawning the supplied command as a subprocess. The exploit supports selecting the endpoint, setting a target URL and API key, routing through an HTTP proxy, adjusting timeout, and running in an interactive blind-shell mode where each entered command is sent as a new exploit request. The helper module exploit/payload.py generates reusable payloads. It includes functions for generic payload creation, arbitrary shell command execution via bash -c, reverse shell generation, environment extraction by reading /proc/1/environ, and file-read payloads that redirect sensitive file contents into writable target-side files. The code explicitly notes that MCP SDK environment isolation prevents simple env dumping from revealing parent process secrets, so it instead targets /proc/1/environ to recover values such as LITELLM_MASTER_KEY. The exploit’s capabilities are substantial: authenticated remote code execution, blind interactive command execution, reverse shell payload generation, reading sensitive files, and extracting process environment variables. The README and code indicate that any valid API key is sufficient because the vulnerable endpoints lack proper role checks; in the default Docker deployment, the LiteLLM process runs as root, so successful exploitation yields root-level command execution inside the container. The docker-compose.yml file provides a reproducible environment with a pinned vulnerable LiteLLM v1.82.6 image on port 4000 and an optional fixed v1.83.7 image on port 4001. This confirms the repository’s purpose is both demonstration and reproducible exploitation of the vulnerability rather than mere detection. Overall, this is a real operational PoC exploit for authenticated web/network-based RCE against vulnerable LiteLLM deployments.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
107 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A command injection vulnerability in LiteLLM that allows authenticated users to execute arbitrary commands on the host via MCP test endpoints; when chained with CVE-2026-48710, it can lead to unauthenticated remote code execution.
A vulnerability in BerriAI LiteLLM that was listed in KEV as an actual exploit.
A previously disclosed MCP command injection vulnerability in LiteLLM mentioned for background/comparison.
A command execution vulnerability in the LiteLLM MCP test endpoint that allows arbitrary stdio command execution via crafted requests, leading to remote shell access and potential root-level compromise.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.