INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
LiteLLM Flaw Exploited in the Wild via Unauthenticated RCE
| 2026-06-09 06:26 CRITICAL HIGHExecutive Summary AI-generated
The incident involves a critical vulnerability in LiteLLM, a popular AI-powered tool used by organizations to build and deploy applications. The flaw, tracked as CVE-2026-42271 (CVSS score: 8.7), allows any authenticated user to run arbitrary commands on the host. This could lead to severe consequences, including unauthorized access, data breaches, and potential disruption of critical infrastructure. As part of a patch release in version 1.83.7, both test endpoints now require the PROXY_ADMIN role, making it consistent with the save endpoint. The vulnerability has been chained with another CVE-2026-48710 (CVSS score: 6.5) to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments. This highlights the importance of timely patching and robust security measures to prevent exploitation.
Technical Mitigations AI-generated
* Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at the reverse proxy or API gateway.
* Restrict network access to trusted segments.
* Rotate credentials stored by the proxy.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-42271CVE-2026-42271
CVE-2026-42208CVE-2026-42208
CVE-2026-48710CVE-2026-48710
Target & Sectors
Global Scope
Incident Timeline
2026/06/02
Horizon3.ai chained CVE-2026-42271 with CVE-2026-48710 to exploit a bad host header validation bypass vulnerability in Starlette, allowing remote code execution against vulnerable LiteLLM deployments.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-42271
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
vulnerability
CVE-2026-48710
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
tactic
Remote Code Execution
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
organisation
Starlette Host Header Validation Bypass
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
tactic
T1584.004 - Server
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
organisation
ASGI
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
general_metric
6.5 score
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
Last week, Horizon3.ai said it chained CVE-2026-42271 with
CVE-2026-48710
(CVSS score: 6.5), a "
BadHost
" host header validation bypass vulnerability affecting
Starlette
, a lightweight Asynchronous Server Gateway Interface (ASGI) framework, to completely sidestep authentication and achieve remote code execution against vulnerable LiteLLM deployments.
Jun 09, 2026
Threat actors exploited CVE-2026-42271 in the wild by using LiteLLM to target MCP servers.
Click on any entity below to view its context and source!
infrastructure
1.83.7
As part of the patches released in version 1.83.7, both the test endpoints now require the PROXY_ADMIN role, making it consistent with the save endpoint.
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later.
infrastructure
1.0.1
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later.
infrastructure
1.0.0
"CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0," Horizon3.ai
said
.
organisation
CVSS
Per Horizon3.ai, the chained vulnerability has a combined CVSS score of 10.0, making it critical in nature.
organisation
SQL
The development comes a little over a month after a critical SQL injection flaw in LiteLLM (
CVE-2026-42208
, CVSS score: 9.3) came under active exploitation within 36 hours of the bug becoming public knowledge.
organisation
Known Exploited
LiteLLM to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
organisation
KEV
LiteLLM to its Known Exploited Vulnerabilities (
KEV
) catalog, citing evidence of active exploitation.
organisation
MCP
It affects the following version of the LiteLLM Python package -
"Two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport," according to a
description
of the flaw shared by BerriAI.
organisation
SDK
"
The maintainers of the open-source AI gateway and Python SDK said the endpoints were secured only by means of a valid proxy API key, as a result of which any authenticated user, including privileged internal-user keys, could execute arbitrary commands on a susceptible system.
organisation
API
"
The maintainers of the open-source AI gateway and Python SDK said the endpoints were secured only by means of a valid proxy API key, as a result of which any authenticated user, including privileged internal-user keys, could execute arbitrary commands on a susceptible system.
organisation
Rotate
Rotate credentials stored by the proxy.
2026/06/09
Ravie Lakshmanan reported the LiteLLM flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE.
Click on any entity below to view its context and source!
organisation
Flaw CVE-2026-42271 Exploited
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE.
Tactical Metrics
Metrics
infrastructure
1.83.7
Software Version
Click for context!
As part of the patches released in version 1.83.7, both the test endpoints now require the PROXY_ADMIN role, making it consistent with the save endpoint.
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later.
Metrics
infrastructure
1.0.0
Software Version
"CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0," Horizon3.ai
said
.
Metrics
infrastructure
1.0.1
Software Version
Users are advised to update LiteLLM to version 1.83.7 or later and Starlette to version 1.0.1 or later.
Intelligence Sources
The Hacker News
2026-06-09
The Hacker News
2026-06-09
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:31
Comprehensive Tactical Telemetry
Highly Correlated Entities
11x
organisation
Identified Entity
Flaw CVE-2026-42271 Exploited
entity
4x
timeline
Temporal Reference
Jun 09, 2026
date
4x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
3x
vulnerability
Exploited CVE
CVE-2026-42271
cve
3x
infrastructure
Software Version
1.83.7
version
2x
attribution
Attributing Entity
Vulnerability /
authority
Contextual Telemetry
Context Block
7 METRICS
general metric
Vulnerability
9
vulnerability
tactic
Cyber Operation Type
Remote Code Execution
tactic
general metric
Score
6
score
vulnerability
CVSS Score
10
score
general metric
Development
9
development
general metric
Hours
36
hours
general metric
Jun
9
jun
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.