LiteLLM RCE Actively Exploited: CVE-2026-42271, CVE-2026-48710: News & Updates

Developers and platform engineers deploying the LiteLLM AI Gateway must take immediate action: unauthenticated Remote Code Execution (RCE) vulnerabilities, tracked as CVE-2026-42271 and CVE-2026-48710, are being actively exploited in the wild as of 2026-06-14. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42271 to its Known Exploited Vulnerabilities Catalog, underscoring the critical threat.

What Happened: Unauthenticated RCE in LiteLLM

This active exploitation chain targets LiteLLM AI Gateway deployments, allowing unauthenticated attackers to execute arbitrary commands. The attack leverages two distinct vulnerabilities:

• CVE-2026-42271: This is a command injection flaw found in LiteLLM’s MCP server test endpoints.
• CVE-2026-48710: This vulnerability is a Starlette Host Header Validation Bypass.

Attackers chain these two vulnerabilities, using the host header bypass to facilitate the command injection, ultimately achieving unauthenticated RCE on affected LiteLLM instances. This means an attacker does not need any credentials to compromise the system.

Severity and Impact

The impact of this RCE chain is critical.

• Unauthenticated RCE: Attackers can execute arbitrary code on the underlying system without any prior authentication.
• High CVSS Score: CVE-2026-42271 carries a high-severity CVSS score of 8.7.
• CISA KEV Catalog: Its inclusion in CISA’s Known Exploited Vulnerabilities catalog confirms active exploitation and mandates federal agencies to patch quickly. This is a strong signal for all organizations to prioritize mitigation.

The successful exploitation of these vulnerabilities grants attackers full control over the compromised LiteLLM gateway, potentially leading to data exfiltration, service disruption, or further lateral movement within a network.

Affected Versions and Deployments

Specific affected LiteLLM version numbers for CVE-2026-42271 and CVE-2026-48710 have not been publicly detailed in the provided evidence currently available.

LiteLLM’s official security updates from March and April 2026 mention security hardening and “Verified safe versions” with SHA-256 checksums. However, these updates do not explicitly link specific version numbers to these particular CVEs.

Given the active exploitation, any LiteLLM AI Gateway deployment that has not been recently updated with the latest security patches should be considered potentially vulnerable. This includes deployments exposed to the internet or accessible from untrusted networks.

Immediate Actionable Steps for Developers

Given the active exploitation and critical severity, immediate action is required for all LiteLLM AI Gateway deployments.

1. Update LiteLLM Immediately:
   • Check the official LiteLLM documentation and GitHub repository for the latest security patches and recommended versions.
   • Update your LiteLLM installation to the most recent secure release. While specific version numbers for these CVEs aren’t available, updating to the latest available version is the strongest defense.
   • Example for Python installations (verify official guidance for exact command):

        pip install --upgrade litellm
 

- For Docker deployments, pull the latest official image:

        docker pull litellm/proxy:latest
 

2. Network Segmentation and Access Control:
   • Isolate from Public Internet: Ensure your LiteLLM AI Gateway instances are never directly exposed to the public internet. If external access is unavoidable, place them behind a robust reverse proxy, a VPN, or a dedicated API gateway that enforces strong authentication and authorization.
   • Implement Strict Firewall Rules: Configure firewalls (e.g., AWS Security Groups, Azure Network Security Groups, Google Cloud Firewall Rules, or on-premise network firewalls) to enforce the principle of least privilege. Allow inbound connections only from explicitly authorized, trusted IP addresses or internal subnets that absolutely require access to the gateway. Block all other inbound traffic by default.
   • Utilize a Web Application Firewall (WAF): Deploy a WAF in front of your LiteLLM gateway to provide an additional layer of defense. A WAF can help detect and block common web-based attacks, including potential host header manipulation or command injection attempts, even before they reach the application. Configure it with rules specific to API gateways and common exploitation patterns.
   • Leverage API Gateways/Authenticated Proxies: If not already in place, consider integrating the LiteLLM gateway with an enterprise-grade API Gateway (e.g., Kong, Apigee, AWS API Gateway). These solutions offer advanced features like rate limiting, request validation, authentication, and authorization, significantly reducing the attack surface. An authenticated proxy can enforce user authentication before requests reach LiteLLM.
   • Internal Network Segmentation: Even within your internal network, segment your LiteLLM deployments into dedicated, isolated subnets. This limits lateral movement for an attacker if one part of your internal network is compromised, preventing them from easily reaching the LiteLLM gateway.
3. Monitor for Suspicious Activity:
   • Review logs for your LiteLLM deployments for any unusual activity, especially commands executed on the host, unexpected outbound connections, or changes to configuration files.
   • Look for signs of the Starlette Host Header bypass, though specifics may require deep packet inspection or runtime analysis.
4. Rotate Credentials and API Keys:
   • Given the potential for RCE, assume that credentials and API keys used by or accessible from the LiteLLM instance may be compromised.
   • Immediately rotate all API keys, database credentials, and any other secrets that were configured for use by the LiteLLM gateway or stored on the host where it runs.
5. Activate Incident Response Plan:
   • If you suspect or confirm compromise, immediately activate your organization’s incident response plan.
   • Isolate affected systems, preserve forensic evidence, and conduct a thorough investigation to determine the scope and impact of the breach.
6. Conduct Security Audits:
   • Perform an immediate security audit of your LiteLLM deployment environment.
   • Verify the integrity of your LiteLLM installation and underlying system. Check for unexpected files, processes, or modifications that could indicate a lingering compromise.

What To Watch Next

• Official Version Details: Look for specific LiteLLM version numbers confirmed to fix CVE-2026-42271 and CVE-2026-48710.
• Exploit Details and IOCs: Watch for further technical details on the exploitation methods and Indicators of Compromise (IOCs) from security researchers.

References

• CVE-2026-42271: LiteLLM Unauthenticated RCE | Horizon3.ai
• LiteLLM vulnerability under active attack, CISA warns (CVE-2026-42271) - Help Net Security
• Critical Alert: Oligo Detects and Blocks RCE in LiteLLM (CVE-2026-42271) - Oligo Security
• LiteLLM AI Gateway: Active Exploitation via MCP Injection - Cloud Security Alliance (PDF)
• Security Update: Vulnerability Disclosures and Ongoing Hardening - LiteLLM Docs