πŸ’» AppSec

CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV β€” AI Infrastructure Under Attack

CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.

4 min read
#litellm#cve-2026-42271#ai-infrastructure#command-injection#cisa-kev#api-security#llm-gateway#actively-exploited

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability in BerriAI LiteLLM β€” a widely deployed open-source proxy that provides a unified API interface across multiple large language model providers. The vulnerability allows an attacker with a low-privilege LiteLLM API key to inject operating system commands that execute on the LiteLLM host with the permissions of the LiteLLM process.

LiteLLM is used by organisations to manage API access to OpenAI, Anthropic, Google Gemini, Azure OpenAI, and other LLM providers through a single gateway. The deployment model β€” typically a containerised service with API keys distributed to multiple internal services and developers β€” creates a large key-holding population, any one of whom could exploit this vulnerability.

Vulnerability Details

CVE-2026-42271 is a command injection vulnerability in LiteLLM’s model management endpoint. LiteLLM includes an administrative interface for managing model configurations, API key budgets, and routing rules. A specific endpoint in this interface processes user-supplied input that is incorporated into a system command without sufficient sanitisation.

The critical aspect of this vulnerability is the privilege requirement: low-privilege API keys β€” the type distributed to individual developers and applications for LLM API access β€” are sufficient to reach the vulnerable endpoint. This means any developer or service with a LiteLLM API key can exploit this vulnerability, regardless of whether they have administrative access to the LiteLLM instance.

CVSS assessment: High severity. Network access vector, low complexity, low privileges required, no user interaction. Impact: full compromise of the LiteLLM host.

Affected versions: LiteLLM v1.83.6 and earlier. Patched version: LiteLLM v1.83.7-stable (released 3 June 2026).

Why AI Infrastructure Is Now a KEV Category

CVE-2026-42271 joins a growing list of KEV-confirmed vulnerabilities in AI infrastructure tooling. The pattern reflects a structural reality: AI tools are being adopted rapidly in enterprise environments, often by development and data science teams rather than through traditional IT security procurement processes. The security review that would apply to a new SIEM or endpoint agent β€” architecture review, penetration testing, vendor security questionnaire β€” is frequently not applied to AI gateways and LLM proxy services.

LiteLLM’s deployment pattern makes this worse: it is commonly deployed with broad API key distribution (many developers and services have keys), often on internal infrastructure that is assumed to be low-risk because it is not internet-facing (but is accessible from any compromised internal system), and often without the monitoring that would detect unusual command execution.

  • Update to LiteLLM v1.83.7-stable immediately: The patch is a point release available via pip install litellm==1.83.7 or by pulling the updated container image from the BerriAI registry.
  • Audit API key holders: Identify all parties (users, services, CI/CD pipelines) that hold LiteLLM API keys. Anyone with a key was potentially in scope to exploit this vulnerability.
  • Review LiteLLM logs for exploitation indicators: Check LiteLLM access logs for unusual requests to model management endpoints (/model/, /team/, /key/) from API keys that do not normally access these endpoints. Unexpected subprocess execution in LiteLLM process logs is a post-exploitation indicator.
  • Apply principle of least privilege to API keys: LiteLLM supports key-level permissions β€” production application API keys should not have administrative permissions. Use litellm_budget and model restriction settings to limit what each key can access.
  • Isolate LiteLLM from internal infrastructure: LiteLLM instances should not have outbound access to internal systems (Active Directory, internal APIs, databases) that are not required for LLM proxying. Network segmentation limits the blast radius if the host is compromised.

Broader Implication

CVE-2026-42271 is the second AI infrastructure component to reach the CISA KEV in 2026. The first was the Langflow AI workflow builder (CVE-2026-5027, also command injection). The recurrence is not coincidental β€” AI infrastructure tools are built on Python stacks that frequently use subprocess and eval patterns for extensibility, creating a class of command injection risk that is familiar in other contexts but is appearing in new products that have not undergone the security review cycle of more mature enterprise software.

Organisations deploying AI tooling at scale should apply the same security governance to AI infrastructure components β€” vulnerability management, periodic penetration testing, dependency scanning β€” that they apply to other production infrastructure software.

Share this article