A command injection flaw in BerriAI's LiteLLM AI Gateway lets any authenticated user run arbitrary commands on the proxy host, and CISA has confirmed it as actively exploited.
What Is It
LiteLLM is a proxy server (AI Gateway) used to call LLM APIs in OpenAI or native format. In affected versions, two endpoints used to preview an MCP server before saving it, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, spawning the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. The flaw is classified as CWE-78 (OS command injection) and CWE-77 (command injection).
Why It Matters
Any authenticated user, including holders of low-privilege internal-user keys, could run arbitrary commands on the host. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on 2026-06-08, confirming active exploitation. It carries a CVSS 3.1 base score of 8.8 (HIGH), with network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality, integrity, and availability impact. Known ransomware campaign use is listed as Unknown.
What's Vulnerable
LiteLLM versions from 1.74.2 up to (but not including) 1.83.7 are affected (cpe:2.3:a:litellm:litellm).
Patch Status
The issue has been patched in LiteLLM version 1.83.7. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The remediation due date is 2026-06-22. As this affects a common open-source component, CISA advises checking with specific vendors for patching status.