Command injection in LiteLLM, an LLM proxy (CVE-2026-42271) — even low-privilege users can run arbitrary commands on the host
BerriAI LiteLLM, an open-source LLM proxy that unifies many LLM providers, has a command-injection vulnerability. Any authenticated user — including holders of low-privilege internal-user keys — can run arbitrary commands on the host. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).
Key facts
- CVE IDCVE-2026-42271
- CVSS base score8.8 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)BerriAI LiteLLM
- CWECWE-78, CWE-77
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-22 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Command injection (CWE-78 / CWE-77) in BerriAI LiteLLM (a popular OSS LLM proxy)
- Any authenticated user, including low-privilege internal-user keys, can run arbitrary commands on the host
- Host takeover can lead to theft of managed API keys/tokens and further intrusion
- Follows LiteLLM's SQL injection (CVE-2026-42208) — another AI-infrastructure target (CVSS 8.8 High)
- Response: fix per vendor; rotate API keys/tokens and review internal-user key privileges
CVE-2026-42271 is a command-injection vulnerability (CWE-78: improper neutralization of OS commands / CWE-77: command injection) in BerriAI LiteLLM (a popular open-source LLM proxy/gateway that unifies access to many LLM providers behind a single interface). It was added to CISA's KEV catalog on June 8, 2026.
Per NVD, any authenticated user — including holders of low-privilege internal-user keys — can run arbitrary commands on the host running LiteLLM. Although authentication is a prerequisite, proxies like LiteLLM are often shared by distributing keys to many users, so the fact that even a low-privilege key can take over the host is serious. Arbitrary command execution on the host can lead to theft of the API keys and tokens the proxy manages for each LLM provider, and to a foothold for further intrusion.
It follows the LiteLLM SQL injection (CVE-2026-42208) already covered on this site — another vulnerability targeting AI infrastructure (the platform that runs and relays LLMs). It shows that the software underpinning AI is being repeatedly exploited.
Key response: apply fixes/mitigations per the vendor instructions. For cloud use, follow BOD 22-01, and discontinue use if mitigations are unavailable. Rotate the API keys and tokens LiteLLM manages on the assumption of leakage, and review the privileges and distribution of internal-user keys. The federal civilian remediation deadline was June 22, 2026.
Why it matters
A case where host takeover of an LLM gateway can expose all the AI credentials it manages. Organizations running LLM proxies like LiteLLM should, beyond patching, rotate API keys/tokens and manage internal-user key privileges — a prompt to revisit key and privilege design for AI infrastructure.
FAQ
What is command injection?
Is it safe because authentication is required?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).