Critical Vulnerability Chain: Unauthenticated RCE via LiteLLM and Starlette

A sophisticated vulnerability chain has been identified within LiteLLM, creating a direct path for unauthenticated remote code execution (RCE) on exposed production servers. By leveraging two distinct flaws, an attacker can bypass the entire authentication layer of a LiteLLM deployment to gain shell access to the underlying host.

This critical exploit chain, tracked as CVE-2026-42271 paired with CVE-2026-48710, represents a maximum-severity risk to AI infrastructure. If left unpatched, it allows attackers to execute arbitrary system commands, potentially compromising the entire AI gateway and the sensitive models it manages.

Technical Breakdown: The Exploit Chain

1. Command Injection via MCP Endpoints (CVE-2026-42271)

The root of the execution capability lies in LiteLLM’s implementation of the Model Context Protocol (MCP) server test endpoints. Specifically, the routes /mcp-rest/test/connection and /mcp-rest/test/tools/list are designed for debugging and connection testing.

These endpoints accept complex server configurations that include executable commands, arguments, and environment variables intended for stdio-based transport. When a request is processed, LiteLLM spawns these inputs as subprocesses on the host operating system. While these endpoints were originally protected by a requirement for a valid proxy API key, they serve as the “payload delivery” mechanism in this chain.

2. The “BadHost” Authentication Bypass (CVE-2026-48710)

The security boundary of the API key requirement is neutralized by a vulnerability in the Starlette framework. Researchers at Horizon3.ai demonstrated that Starlette (versions up to 1.0.0) suffers from improper Host header validation.

This flaw, colloquially known as the “BadHost” bypass, allows an attacker to manipulate the HTTP Host header to trick the application into misrouting the request or bypassing middleware-based authentication checks. By carefully crafting these headers, an attacker can reach the sensitive MCP test endpoints without ever providing a legitimate proxy API key.

3. Full System Compromise

When these two vulnerabilities are chained, the result is a CVSS 10.0 critical exploit. An unauthenticated remote attacker can bypass authentication (via Starlette) and then trigger command execution (via LiteLLM). Because the LiteLLM proxy process often runs with elevated privileges to manage various API integrations, a successful exploit grants the attacker the ability to:

• Exfiltrate model provider credentials and environment secrets.
• Access sensitive API keys stored within the proxy configuration.
• Pivot laterally from the AI gateway into connected downstream microservices or internal AI training environments.

Indicators of Compromise (IoC)

Security teams should monitor for the following behavioral and network signatures to detect active exploitation attempts:

Note: Defensive monitoring should focus on the integrity of the Host header and the process tree of the LiteLLM service.

Remediation and Mitigation

The most effective defense is a comprehensive update of the software stack. Organizations are strongly urged to take the following actions:

1. Immediate Patching: Upgrade LiteLLM to version 1.83.7 or later.
2. Dependency Management: Ensure the Starlette framework is updated to version 1.0.1 or newer to resolve the Host header validation issue.
3. Network Hardening: If immediate patching is impossible, implement strict network segmentation to ensure MCP test endpoints are not reachable from the public internet.
4. Credential Rotation: As a precautionary measure following a suspected breach, rotate all API keys, model provider secrets, and environment variables managed by the LiteLLM proxy.

This vulnerability highlights a critical trend in modern security: the risk is no longer just in your custom code, but in the complex web of dependencies that power the AI era. Securing the underlying frameworks is just as vital as securing the AI models themselves.