1
min read

Critical Alert: Oligo Detects and Blocks RCE in LiteLLM (CVE-2026-42271)

Date:
Jun 11, 2026
Category:
Security
Research
Author:
Uri Katz
Page top

TL;DR

A new vulnerability chain targeting LiteLLM deployments allows attackers to execute arbitrary commands on AI infrastructure hosts with no credentials required. Oligo's runtime security platform detects active exploitation attempts and blocks RCE at the call stack level, protecting customers even before patching is complete.

Overview

A critical remote code execution vulnerability (CVE-2026-42271) has been discovered in LiteLLM, one of the most widely used open-source LLM proxy gateways, and has been actively exploited in the wild. Researchers at Horizon3.ai demonstrated that it can be reached without authentication by chaining it with a Starlette Host header bypass (CVE-2026-48710), resulting in fully unauthenticated RCE against exposed LiteLLM deployments.

LiteLLM is a common fixture in enterprise AI infrastructure, sitting between applications and model providers like OpenAI, Anthropic, and Azure. A compromise of the LiteLLM proxy means an attacker gains a privileged foothold directly inside your AI stack with access to model API keys, secrets, and downstream systems.

How the Attack Works

LiteLLM exposes two MCP server test endpoints:

  • POST /mcp-rest/test/connection
  • POST /mcp-rest/test/tools/list

These endpoints accept a full server configuration including a command, arguments, and environment variables which LiteLLM then spawns as a subprocess on the host. An attacker who can reach these endpoints can supply a malicious command and have it executed directly on the proxy server.

This is the core of CVE-2026-42271: unsanitized user input flows straight into a subprocess call with no validation or sandboxing. Originally, access to these endpoints required a valid proxy API key, but CVE-2026-48710, a Host header validation bypass affecting Starlette-based applications running version 1.0.0 or earlier, allows attackers to skip that requirement entirely. One crafted HTTP request to a publicly reachable LiteLLM deployment is all it takes.

Affected versions: LiteLLM 1.74.2 through 1.83.6, on deployments whose dependency tree includes Starlette ≤ 1.0.0.

What's at Stake

A successful exploit gives attackers:

  • Arbitrary command execution on the LiteLLM host
  • Access to model provider credentials OpenAI, Anthropic, Azure, and others stored in the proxy
  • API key and secret theft from the proxy's environment
  • Lateral movement into connected AI infrastructure and backend systems
  • Full compromise of downstream applications integrated with the LLM gateway

In AI-heavy environments, the LiteLLM proxy is an integral chokepoint. Attackers who compromise it can get the keys to your entire AI supply chain.

How Oligo Detects and Blocks RCE in LiteLLM

Oligo's runtime application security platform is built for exactly this threat model: vulnerabilities that live inside applications and are exploited at runtime, often before patches are applied or even available.

Detection

Oligo monitors application behavior at the runtime level, not just at the network or host perimeter. For this vulnerability chain, Oligo detects and blocks the attack across three layers:

Runtime Behavioral Profiling. Oligo builds granular profiles of which commands are executed by which flows and functions under normal operation. When a specific flow that usually spawns certain commands suddenly spawn unexpected child processes, that deviation from the established baseline is immediately flagged as anomalous, no signatures or prior CVE knowledge required.

AI-Driven Injection Analysis. Oligo's deep AI analysis inspects arguments and command patterns within the full applicative context of the running service. This means it can distinguish a legitimate MCP server configuration from a malicious payload embedded in the command or args fields, detecting command injection attempts with the contextual awareness needed to bring false positives to near zero.

Network-to-Payload Correlation. Oligo links inbound network activity directly to the payloads that actually execute on the host. When a suspicious HTTP request hits /mcp-rest/test/connection with a malformed Host header consistent with CVE-2026-48710, and that request results in a crafted subprocess being spawned, Oligo correlates the cause and effect end to end, delivering foolproof detection that neither network-only nor endpoint-only tools can match.

These signals are surfaced in real time to security teams, with full context on the call stack, the process tree, and the originating request so analysts can immediately understand the scope and intent of an attack. Examples of alerts in Oligo's dashboard follow.

Blocking

Beyond detection, Oligo's eBPF-based runtime enforcement layer can block the exploit before the  impact:

Subprocess execution is intercepted before the injected command runs. Even if the attacker successfully bypasses authentication and sends a malicious payload, Oligo prevents the subprocess from being spawned, neutralizing the RCE before it executes without any impact on the running LiteLLM process.

This means Oligo customers are protected even if they haven't yet patched   and even if the attacker reaches the vulnerable endpoint successfully.

Recommended Actions

Patch immediately by upgrading LiteLLM to version 1.83.7 or later

If immediate patching isn't possible:

  • Block network access to /mcp-rest/test/connection and /mcp-rest/test/tools/list
  • Restrict LiteLLM proxy access to trusted network segments only
  • Review logs for unusual Host header values and unexpected subprocess execution events

With Oligo deployed:

  • Ensure your LiteLLM workloads are covered by Oligo's runtime monitoring
  • Review Oligo alerts for relevant detection signals

Conclusion

The LiteLLM vulnerability chain is a sharp reminder that AI infrastructure carries the same risk surface as any other software and that authentication controls alone are not enough. CVE-2026-42271 was considered low impact by requiring an API key, but chaining it with CVE-2026-48710 made that assumption collapse.

Oligo's approach: monitoring and enforcing runtime behavior rather than relying solely on perimeter controls - means our customers have protection that works even when vulnerability chains like this one emerge between patch cycles.

If you're running LiteLLM and want to verify your exposure, or if you'd like to see how Oligo's runtime security platform protects your AI stack, contact our team.

Stop modern attacks and keep your business moving

Request a demo
Request a demo
Platform
Overview
Cloud Application Detect and Response
Runtime Vulnerability Management
Runtime AI
Solutions
Who it's for
Security Leaders
SecOps Pros
AppSec Pros
CloudSec Pros
Use Cases
Runtime Exploit Blocking
Workload Protection
Real-time bom/vex
Application vulnerability management
AI security
Compliance and assurance
Attack detection and response
Supply chain security
Resources
Resource Hub
Blog
Events
Webinars
Company
About
News
Partners
Careers
Contact us
Copyright © Oligo Security | All Rights Reserved 2026
Terms of usePrivacy PolicyCookie policy
YOUTUBE
LINKEDIN
TWITTER