{ "threat_severity" : "Important", "public_date" : "2026-05-08T03:35:16Z", "bugzilla" : { "description" : "litellm: LiteLLM: Authenticated command execution via MCP stdio test endpoints", "id" : "2467924", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467924" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-78", "details" : [ "LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7.", "A flaw was found in LiteLLM, a proxy server (AI Gateway) for Large Language Model (LLM) APIs. Two endpoints, used for previewing an MCP server before saving it, accepted a full server configuration including command execution parameters. An authenticated user, even with low-privilege internal-user keys, could exploit this by sending a crafted configuration. This allows for arbitrary command execution on the proxy host with the privileges of the proxy process." ], "statement" : "This is an Important flaw affecting LiteLLM, as deployed in Red Hat products like Ansible Automation Platform and OpenShift AI. Authenticated users, even with low-privilege API keys, can execute arbitrary commands on the proxy host. This is due to insufficient role checks on specific endpoints that accept server configurations with command execution parameters.", "affected_release" : [ { "product_name" : "Red Hat OpenShift AI 3.4", "release_date" : "2026-06-22T00:00:00Z", "advisory" : "RHSA-2026:27784", "cpe" : "cpe:/a:redhat:openshift_ai:3.4::el9", "package" : "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9:1781622627" } ], "package_state" : [ { "product_name" : "Exploit Intelligence", "fix_state" : "Not affected", "package_name" : "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "cpe" : "cpe:/a:redhat:exploit_intelligence:0" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-27/lightspeed-chatbot-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-llama-stack-core-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-mlflow-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42271\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42271\nhttps://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable\nhttps://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "csaw" : true, "name" : "CVE-2026-42271" }