Latest LiteLLM vulnerabilities: CVE-2026-42208, CVE-2026-42203, and CVE-2026-42271 #
LiteLLM disclosed in three advisories that certain versions of LiteLLM Proxy are susceptible to multiple vulnerabilities that can be chained together to achieve remote code execution (RCE). While official container images run the process as root, other deployments execute with the privileges of the user account running the proxy process. Research regarding the exploit chain involving GHSA-r75f-5x8p-qvmc and GHSA-xqmj-j6mv-4862 indicates that the vulnerable code path only triggers after the server has processed "a minimum amount of legitimate interaction."
- CVE-2026-42208: A SQL injection vulnerability exists in the API key verification process due to improper error handling. A remote, unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API endpoint (e.g., /chat/completions). Successful exploitation allows an attacker to read or potentially modify database data, leading to unauthorized access to the proxy and the credentials it manages. This vulnerability has been designated CVE-2026-42208 and has been rated critical with a CVSS score of 9.3.
- CVE-2026-42203: A server-side template injection (SSTI) vulnerability in the /prompts/test API endpoint arises from the improper neutralization of user-supplied prompt templates, which are rendered without sandboxing. A crafted template can execute arbitrary code within the LiteLLM Proxy process. Successful exploitation allows a remote, authenticated user to access secrets in the process environment (e.g., provider API keys or database credentials) or execute arbitrary code on the host. This vulnerability has been designated CVE-2026-42203 and has been rated high with a CVSS score of 8.6.
- CVE-2026-42271: An authenticated command execution vulnerability exists in the MCP stdio test endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list), which are used to preview an MCP server before saving. A remote, low-privileged attacker can exploit this by providing a crafted server configuration in the request body. The command is spawned as a subprocess on the proxy host with the privileges of the proxy process. This vulnerability has been designated CVE-2026-42271 and has been rated high with a CVSS score of 8.7.
These vulnerabilities do not currently have CVE IDs assigned, however, the vulnerability currently designated GHSA-r75f-5x8p-qvmc has been rated critical with a CVSS score of 9.3.
Update (April 27, 2026): The advisories now reflect assigned CVE IDs; however, these remain in a "reserved" state, and further details have not yet been provided by the CNA.
Update (May 8, 2026): There is evidence that CVE-2026-42208 is being actively exploited in the wild. The CVE IDs listed above have been updated with the latest CVSS score information.
Update (June 8, 2026): There is evidence that CVE-2026-42271 is being actively exploited in the wild.
The following versions are affected:
- LiteLLM: Versions 1.81.16 through 1.83.6
What is LiteLLM Proxy? #
LiteLLM Proxy is an open-source gateway that enables applications to interact with multiple large language model (LLM) providers through a single, standardized API by translating requests into the specific formats required by each service.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions immediately:
- LiteLLM: Upgrade to v1.83.7-stable or later.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially impacted assets:
_asset.protocol:http AND protocol:http AND (html.title:="LiteLLM%" OR last.html.title:="LiteLLM%")
