CVE-2026-42271: LiteLLM Flaw Exploited in the Wild, CISA Adds to KEV

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42271, a high-severity command injection vulnerability in BerriAI LiteLLM, to its Known Exploited Vulnerabilities (KEV) catalog on June 8, 2026. CISA cited evidence of active exploitation, making this the first confirmed in-the-wild attack against a LiteLLM flaw. The vulnerability, which carries a CVSS score of 8.7, allows an authenticated user to execute arbitrary commands on the underlying host. Researchers have demonstrated that the flaw can be chained with other weaknesses to achieve unauthenticated remote code execution (RCE), raising the practical risk for organizations running exposed or poorly segmented LiteLLM instances.

Technical Analysis

CVE-2026-42271 is a command injection vulnerability residing in BerriAI LiteLLM, an open-source proxy server that provides a unified interface for multiple large language model (LLM) providers. The flaw was originally disclosed by security researchers who identified that certain API endpoints in LiteLLM fail to properly sanitize user-supplied input before passing it to system shell commands. An authenticated attacker with access to the LiteLLM management interface can inject arbitrary operating system commands, which are then executed with the privileges of the LiteLLM process — typically a non-root service account but still capable of lateral movement or data exfiltration.

The Hacker News reported that the exploit chain goes beyond the authenticated command injection. Researchers found that CVE-2026-42271 can be combined with a separate, as-yet-unnamed authentication bypass or privilege escalation technique to reach the vulnerable endpoint without valid credentials. This chain effectively converts the flaw into an unauthenticated RCE vector. The exact mechanics of the bypass have not been publicly detailed, likely to allow defenders time to patch or mitigate before more threat actors weaponize the full chain.

CISA's KEV inclusion means that federal civilian executive branch (FCEB) agencies are required to remediate the vulnerability by June 29, 2026, per Binding Operational Directive (BOD) 22-01. While CISA did not attribute the exploitation to a specific threat actor or group, the addition to KEV signals that the agency has credible intelligence of active, targeted attacks against LiteLLM deployments. The vulnerability affects all versions of LiteLLM prior to the yet-unreleased patched release, according to BerriAI's advisory.

Mitigations & Recommendations

As of June 9, 2026, BerriAI has not released a patched version of LiteLLM that addresses CVE-2026-42271. Defenders should take the following immediate steps based on the available threat intelligence:

• Isolate LiteLLM instances: Ensure that the LiteLLM proxy server is not directly accessible from the internet. Place it behind a VPN, bastion host, or firewall with strict access controls. If internet exposure is unavoidable, implement an application-layer firewall or reverse proxy with input validation rules.
• Restrict authenticated access: Audit all accounts with access to the LiteLLM management interface. Disable any accounts that are not strictly necessary. Enforce multi-factor authentication (MFA) on all administrative access paths.
• Monitor for exploitation indicators: Review logs for unusual command execution patterns, especially shell commands appearing in API request parameters. Look for outbound network connections from the LiteLLM host to unknown IP addresses or domains.
• Apply virtual patching: If a web application firewall (WAF) or intrusion prevention system (IPS) is in place, create custom rules to block known command injection payloads targeting LiteLLM endpoints. BerriAI may provide signature guidance in a forthcoming security advisory.
• Prepare for patching: Subscribe to BerriAI's security notifications and plan a maintenance window to apply the patch as soon as it is released. Given the active exploitation, this should be treated as a priority-zero update.

Defenders should also assume that threat actors are actively scanning for vulnerable LiteLLM instances. Any organization using LiteLLM in a production environment should treat this as an active incident requiring immediate investigation.