HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-42271 — LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) fo...

·Source: NIST NVD

Updated:

Executive Summary

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When c

Analysis

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7. CVSS Score: 8.8. Published: 2026-05-08T04:16:21.820.

Indicators of Compromise (1)

CVE (1)
CVE-2026-42271
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 8, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel

<p><b>Bulletin ID:</b> 2026-029-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 05/13/2026 18:45 PM PDT</p> <p><b>This is an ongoing issue. Information is subject to change. Please refer to our Security Bulletin (ID: 2026-030-AWS) for the most updated patching information.</b></p> <p><b>Description:</b></p> <p>Amazon is aware of CVE-20

CVE-2026-46300CVE-2026-43284
AWS Security Bulletins
LOWVulnerability

Ongoing updates on Copy.fail and variants

<p><b>Bulletin ID:</b> 2026-030-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 05/13/2026 10:00 PM PDT</p> <p><b>This is an ongoing issue. This bulletin will be updated as more information becomes available.</b></p> <p><b>Description:</b></p> <p>AWS is aware of the copy.fail or DirtyFrag class of issues - a set of privilege escalation

AWS Security Bulletins
MEDIUMVulnerability

Bunq applies for Mexican banking license

Bunq, the European neobank for "global citizens", has applied for a Mexican banking license.

Finextra