LiteLLM RCE: your AI gateway is now attack surface
CVE-2026-42271 turns LiteLLM into unauthenticated remote code execution and API-key theft. What the AI proxy layer means for your security.
If you route your AI calls through a proxy so you can swap providers, cap spend, and log usage — good instinct, we recommend it. But that proxy is a server that holds every API key you own, and this week it became a live target. A critical flaw in LiteLLM, one of the most widely deployed open-source AI gateways, is being exploited in the wild.
What actually happened
CVE-2026-42271 is a command-injection flaw (CVSS 8.7) in LiteLLM versions ≥ 1.74.2 through < 1.83.7. Per The Hacker News, two MCP test endpoints accepted a full server configuration in the request body and spawned the supplied command as a subprocess on the proxy host — no allowlist, no admin gate. Any holder of a proxy API key could run arbitrary commands on the box.
It gets worse. Researchers at Horizon3.ai chained it with CVE-2026-48710, a "BadHost" host-header bypass in the Starlette framework, to reach unauthenticated remote code execution from any network-reachable host — a combined CVSS of 10.0. A successful attacker runs commands on the host, then reads the model-provider credentials the proxy stores: your Anthropic, OpenAI, and other keys, plus a path into whatever those keys can reach. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 8, 2026, citing active exploitation. The fix ships in LiteLLM 1.83.7, which gates both endpoints behind the PROXY_ADMIN role; patch Starlette to a fixed release too.
Why it matters for your business
The AI proxy is the highest-value box in a modern stack because it concentrates secrets. One host, every key. That's convenient for you and convenient for whoever takes it. If you or a vendor stood up an AI gateway in the last year and haven't looked at it since, it is probably running a vulnerable version right now, and "internal only" is not protection — the unauthenticated chain works from any host that can reach the port.
Three moves, today. Pin the version and update LiteLLM to 1.83.7+ (and Starlette). Put the gateway behind network controls so it isn't reachable from the open internet or your whole flat LAN. And rotate the provider keys it holds — if it was exposed, assume they walked. The broader lesson: every convenience layer you add to move fast is also a thing that can be attacked, and AI infrastructure is new enough that a lot of it shipped without the boring security review the rest of your stack gets.
Key takeaways
- CVE-2026-42271 (CVSS 8.7) lets any proxy-key holder run commands on the LiteLLM host; chained with CVE-2026-48710 it becomes unauthenticated RCE (CVSS 10.0)
- It's on CISA's Known Exploited Vulnerabilities list as of June 8, 2026 — actively exploited
- The gateway holds every provider API key, so a host takeover is a credential heist
- Update LiteLLM to 1.83.7+ and Starlette, lock down network access, and rotate exposed keys now
Not sure what your AI stack exposes? We audit the proxy layer, secrets handling, and network reach — then fix what's soft. See how we harden AI systems or book a stack review.
Sources: The Hacker News, Horizon3.ai.
- #ai-security
- #litellm
- #vulnerability
- #ai-gateway
- #devops
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Qualcomm buys Modular: the AI portability layer got acquired
Qualcomm's ~$3.9B all-stock buy of Modular puts the 'run AI on any chip' software layer inside a chipmaker. Here's what it means for staying vendor-agnostic.
Read itGLM-5.2 open weights: the cost case for portability
Z.ai's open-weight GLM-5.2 matches frontier coding models at a fraction of the API price. The real story isn't the benchmark — it's that switching costs just dropped.
Read it