GitHub PoC

FIRST EPSS

EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.

MITRE

CVSS

• Score: 8.7
• Severity: HIGH
• Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

SSVC

• Exploitation: none
• Automatable: no
• Technical Impact: total

References

• https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
• https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable

Show Raw Data

Key	Remaining Key	Value
dataType		CVE_RECORD
dataVersion		5.2
cveMetadata >	cveId	CVE-2026-42271
cveMetadata >	assignerOrgId	a0819718-46f1-4df5-94e2-005712e83aaa
cveMetadata >	state	PUBLISHED
cveMetadata >	assignerShortName	GitHub_M
cveMetadata >	dateReserved	2026-04-26T11:53:27.707Z
cveMetadata >	datePublished	2026-05-08T03:35:16.758Z
cveMetadata >	dateUpdated	2026-05-09T03:55:48.638Z
containers >	cna > title	LiteLLM: Authenticated command execution via MCP stdio test endpoints
containers >	cna > problemTypes > 0 > descriptions > 0 > cweId	CWE-77
containers >	cna > problemTypes > 0 > descriptions > 0 > lang	en
containers >	cna > problemTypes > 0 > descriptions > 0 > description	CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
containers >	cna > problemTypes > 0 > descriptions > 0 > type	CWE
containers >	cna > problemTypes > 1 > descriptions > 0 > cweId	CWE-78
containers >	cna > problemTypes > 1 > descriptions > 0 > lang	en
containers >	cna > problemTypes > 1 > descriptions > 0 > description	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
containers >	cna > problemTypes > 1 > descriptions > 0 > type	CWE
containers >	cna > metrics > 0 > cvssV4_0 > attackVector	NETWORK
containers >	cna > metrics > 0 > cvssV4_0 > attackComplexity	LOW
containers >	cna > metrics > 0 > cvssV4_0 > attackRequirements	PRESENT
containers >	cna > metrics > 0 > cvssV4_0 > privilegesRequired	LOW
containers >	cna > metrics > 0 > cvssV4_0 > userInteraction	NONE
containers >	cna > metrics > 0 > cvssV4_0 > vulnConfidentialityImpact	HIGH
containers >	cna > metrics > 0 > cvssV4_0 > vulnIntegrityImpact	HIGH
containers >	cna > metrics > 0 > cvssV4_0 > vulnAvailabilityImpact	HIGH
containers >	cna > metrics > 0 > cvssV4_0 > subConfidentialityImpact	HIGH
containers >	cna > metrics > 0 > cvssV4_0 > subIntegrityImpact	NONE
containers >	cna > metrics > 0 > cvssV4_0 > subAvailabilityImpact	NONE
containers >	cna > metrics > 0 > cvssV4_0 > baseScore	8.7
containers >	cna > metrics > 0 > cvssV4_0 > baseSeverity	HIGH
containers >	cna > metrics > 0 > cvssV4_0 > vectorString	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N
containers >	cna > metrics > 0 > cvssV4_0 > version	4.0
containers >	cna > references > 0 > name	https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
containers >	cna > references > 0 > tags > 0	x_refsource_CONFIRM
containers >	cna > references > 0 > url	https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g
containers >	cna > references > 1 > name	https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
containers >	cna > references > 1 > tags > 0	x_refsource_MISC
containers >	cna > references > 1 > url	https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
containers >	cna > affected > 0 > vendor	BerriAI
containers >	cna > affected > 0 > product	litellm
containers >	cna > affected > 0 > versions > 0 > version	>= 1.74.2, < 1.83.7
containers >	cna > affected > 0 > versions > 0 > status	affected
containers >	cna > providerMetadata > orgId	a0819718-46f1-4df5-94e2-005712e83aaa
containers >	cna > providerMetadata > shortName	GitHub_M
containers >	cna > providerMetadata > dateUpdated	2026-05-08T03:35:16.758Z
containers >	cna > descriptions > 0 > lang	en
containers >	cna > descriptions > 0 > value	LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.
containers >	cna > source > advisory	GHSA-v4p8-mg3p-g94g
containers >	cna > source > discovery	UNKNOWN
containers >	adp > 0 > metrics > 0 > other > type	ssvc
containers >	adp > 0 > metrics > 0 > other > content > timestamp	2026-05-08T00:00:00+00:00
containers >	adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation	none
containers >	adp > 0 > metrics > 0 > other > content > options > 1 > Automatable	no
containers >	adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact	total
containers >	adp > 0 > metrics > 0 > other > content > role	CISA Coordinator
containers >	adp > 0 > metrics > 0 > other > content > version	2.0.3
containers >	adp > 0 > metrics > 0 > other > content > id	CVE-2026-42271
containers >	adp > 0 > title	CISA ADP Vulnrichment
containers >	adp > 0 > providerMetadata > orgId	134c704f-9b21-4f2e-91b3-4a467353bcc0
containers >	adp > 0 > providerMetadata > shortName	CISA-ADP
containers >	adp > 0 > providerMetadata > dateUpdated	2026-05-09T03:55:48.638Z