CVE-2026-42271 Chained with CVE-2026-48710
LiteLLM Unauthenticated Remote Code Execution via Starlette Host Header Validation Bypass
CVE-2026-42271 is a command injection vulnerability in LiteLLM’s MCP server test endpoints that was originally disclosed as requiring authentication. Horizon3.ai researchers confirmed that when chained with CVE-2026-48710, a Starlette “BadHost” Host Header validation bypass vulnerability, the authentication requirement can be bypassed entirely. The result is unauthenticated remote code execution against vulnerable LiteLLM deployments, allowing attackers to execute commands as the LiteLLM proxy process. Affected LiteLLM versions include 1.74.2 through 1.83.6.
Technical Details
CVE-2026-42271 affects the following LiteLLM MCP server endpoints:
- POST /mcp-rest/test/connection
- POST /mcp-rest/test/tools/list
These endpoints accept a complete server configuration, including command, arguments, and environment variables used by the stdio transport. When invoked, LiteLLM spawns the supplied command as a subprocess on the proxy host. The issue was originally considered authenticated because access was gated by a valid proxy API key.
Horizon3.ai researchers validated that CVE-2026-48710 can be used to bypass the authentication mechanism entirely in LiteLLM deployments whose dependency tree includes Starlette versions ≤ 1.0.0. This transforms the vulnerability into unauthenticated remote code execution with no credentials required.
Successful exploitation allows attackers to:
- Execute arbitrary commands on the LiteLLM host
- Access model provider credentials
- Steal API keys and secrets stored by the proxy
- Move laterally into connected AI infrastructure
- Compromise downstream systems integrated with the gateway
The chained vulnerability has been assessed as CVSS 10.0 Critical.organizations relying on self-hosted Gitea environments.
Stop Guessing, Start Proving
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether this chained authentication bypass and command injection vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
- Run the Rapid Response test: Launch from the NodeZero platform to determine whether unauthenticated command execution is possible
- Patch immediately: Upgrade LiteLLM to version 1.83.7 or later and ensure Starlette is upgraded to version 1.0.1 or later
- Re-run the test: Confirm the vulnerability chain is no longer exploitable after remediation
Indicators of Compromise
| Indicator | Type | Description |
| Unexpected subprocess execution | Behavioral | Commands spawned through LiteLLM MCP test endpoints |
| Requests to /mcp-rest/test/connection | HTTP Activity | Suspicious use of testing functionality |
| Requests to /mcp-rest/test/tools/list | HTTP Activity | Potential exploitation attempts |
| Unusual Host header values | Network Indicator | Potential abuse of CVE-2026-48710 authentication bypass |
| Unauthorized command execution | Host Activity | Evidence of successful exploitation and host compromise |
Affected Versions & Patch
Affected
- LiteLLM versions 1.74.2 through 1.83.6
- Deployments whose dependency tree includes Starlette ≤ 1.0.0
Patch
- Upgrade LiteLLM to version 1.83.7 or later
- Upgrade Starlette to version 1.0.1 or later
- If immediate patching is not possible:
- Block access to the affected MCP test endpoints
- Restrict network access to trusted segments
- Rotate credentials stored by the proxy
- Review logs for unusual Host header activity and subprocess execution events
Timeline
- April 20, 2026 – CVE-2026-42271 was disclosed as a command injection vulnerability affecting LiteLLM MCP test endpoints.
- May 8, 2026 – LiteLLM published fixes in version 1.83.7, introducing additional authorization controls and updated Starlette dependencies.
- May 26, 2026 – Public disclosure of CVE-2026-48710 (“BadHost”) detailed Host header validation bypasses affecting Starlette-based applications.
- June, 1, 2026 – Horizon3.ai researchers validated the chained exploitation path and confirmed unauthenticated remote code execution against affected LiteLLM deployments.
