CVE-2026-42271

Name of the Vulnerable Software and Affected Versions LiteLLM versions 1.74.2 through 1.83.6

Description Two endpoints used to preview an MCP server before saving it, "POST /mcp-rest/test/connection" and "POST /mcp-rest/test/tools/list", accepted a full server configuration in the request body. This included the command, args, and env fields used by the stdio transport. When a stdio configuration was provided, the endpoints spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. These endpoints required only a valid proxy API key and lacked role checks, allowing any authenticated user, including those with low-privilege internal-user keys, to execute arbitrary commands on the host.

Recommendations Update to version 1.83.7. As a temporary workaround, block the "POST /mcp-rest/test/connection" and "POST /mcp-rest/test/tools/list" endpoints at the reverse proxy or API gateway.