CVE-2026-42271 LiteLLM MCP Command Injection: CISA KEV Addition and Confirmed Active Exploitation
Date: 2026-06-10
Tags: mcp-security, supply-chain
Executive Summary
On June 9, 2026, CISA added CVE-2026-42271 to the KEV catalog, citing confirmed active exploitation in the wild. The command injection flaw in LiteLLM MCP test endpoints was disclosed April 20, 2026, with fixes released May 8, 2026 in version 1.83.7. Confirmed attacks followed within five weeks of the patch being published, representing a narrow detection window.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-42271 LiteLLM MCP RCE Exploitation |
| Attribution | Unknown threat actor(s) (confidence: low) |
| Target | LiteLLM proxy deployments with MCP test endpoints exposed |
| Vector | Command injection via MCP test endpoint |
| Status | active |
| First Observed | 2026-06-09 |
Detailed Findings
CVE-2026-42271 is a command injection flaw in LiteLLM MCP test endpoints disclosed April 20, 2026. Patches arrived May 8, 2026 in version 1.83.7 with authorisation controls and updated Starlette dependencies. CVE-2026-48710 ('BadHost'), a related host header bypass in Starlette, was publicly disclosed May 26, 2026. Horizon3.ai confirmed the chained unauthenticated RCE path on June 1, 2026. This represents a critical infrastructure risk for LLM proxy operators relying on MCP for agent communication, with exploitation occurring weeks after patch availability.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploitation of Remote Services | T1190 | Unauthenticated command injection via exposed MCP endpoints |
| Supply Chain Compromise | T1195 | LiteLLM supply chain impact on downstream MCP agents and AI systems |
IOCs
Domains
_CISA KEV catalog entry; Horizon3.ai PoC confirmation_
Full URL Paths
_CISA KEV catalog entry; Horizon3.ai PoC confirmation_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
litellm>=1.83.7Detection Recommendations
Monitor for POST requests to LiteLLM MCP test endpoints (/mcp/test, /mcp/debug); implement input validation on all MCP command handlers; enforce authentication on MCP endpoints; update LiteLLM to version 1.83.7 or later immediately; correlate with CVE-2026-48710 exploitation attempts (Host header injection); restrict MCP endpoint access by IP allowlist; monitor for shell command execution from LiteLLM processes.
References
- [Cyberangel] CVE-2026-42271 LiteLLM Vulnerability: 7 Things to Know (2026-06-10) — https://cybelangel.com/blog/itellm-vulnerability-cve-2026-42271/
- [CISA] Known Exploited Vulnerabilities Catalog (2026-06-09) — https://www.cisa.gov/known-exploited-vulnerabilities-catalog