A command injection vulnerability in BerryAI's LiteLLM has been added to CISA's Known Exploited Vulnerabilities catalog and is under active exploitation. CVE-2026-42271 allows attackers to execute arbitrary commands on the host system. CISA has given US federal civilian agencies until June 22, 2026, to remediate.
If you're running LiteLLM to manage API calls to multiple LLM providers, an attacker can gain command execution on your infrastructure. The vulnerability chains with CVE-2026-48710, an authentication bypass in the Starlette web framework that LiteLLM depends on.
Timeline
April 2026: CVE-2026-42271 publicly disclosed. The vulnerability affects LiteLLM's handling of user-supplied input in API endpoints.
Shortly after disclosure: Threat actors begin active exploitation. CISA observes attacks in the wild.
June 2026: CISA adds CVE-2026-42271 to its KEV catalog, mandating federal agencies patch by June 22, 2026.
Current status: Starlette v1.0.1 fixes CVE-2026-48710. Organizations running vulnerable LiteLLM versions remain exposed to command injection attacks.
Which Controls Failed or Were Missing
Insufficient input validation: LiteLLM failed to sanitize user input before passing it to system commands, allowing execution of untrusted data in a privileged context.
Missing dependency security monitoring: Organizations had no mechanism to detect that their AI gateway depended on a vulnerable version of Starlette, creating a path to the command injection vulnerability.
Delayed patching cycles: The gap between April disclosure and June exploitation shows that patch management processes weren't responsive enough. AI infrastructure components need regular maintenance like production web applications.
Inadequate network segmentation: Systems running LiteLLM had direct access to execute commands on the host, expanding the blast radius of command injection due to lack of isolation from sensitive resources.
No runtime protection: Organizations lacked application-level firewalls or runtime application self-protection (RASP) to detect and block command injection attempts even in vulnerable code.
What the Standards Require
OWASP ASVS v4.0.3, Verification Requirement 5.3.8: "Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding."
LiteLLM's failure to validate input before executing commands directly violates this requirement. Your AI infrastructure must treat all user input as untrusted, even when it comes through API endpoints you assume are only called by internal services.
PCI DSS v4.0.1, Requirement 6.3.2: "An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management."
If you're processing payment data anywhere in your environment, you need a complete inventory of every component in your AI stack, including frameworks like Starlette that LiteLLM depends on.
NIST 800-53 Rev 5, SI-2 (Flaw Remediation): "Organizations identify, report, and correct system flaws... install security-relevant software and firmware updates within the time period specified in the organization policy."
CISA's June 22 deadline for federal agencies represents the outer bound of acceptable remediation time for a KEV-listed vulnerability. Your policy should define similar SLAs.
ISO/IEC 27001, Control 8.8 (Management of Technical Vulnerabilities): "Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken."
The key phrase is "exposure shall be evaluated." You need to know if you're running LiteLLM, which version, and whether it's exposed to untrusted input.
Lessons and Action Items for Your Team
Build a complete dependency graph for AI infrastructure: Map every library, framework, and SDK your LLM gateway uses. Use tools like pip-audit for Python or npm audit for Node.js to identify vulnerable transitive dependencies. Schedule this audit quarterly at minimum.
Treat AI components as critical production systems: LiteLLM and similar tools route requests to external APIs and often have elevated privileges. They deserve the same patch management rigor as your web application servers.
Implement input validation at every boundary: Validate and sanitize input even if you think an API endpoint only receives calls from internal services. Use allowlists for command parameters and parameterized interfaces to prevent injection.
Segment AI infrastructure from production data: Run LiteLLM and similar components in isolated network segments. Use the principle of least privilege to limit what an attacker can reach after initial compromise.
Monitor for exploitation indicators: Watch for unusual command execution patterns, unexpected outbound network connections, or API calls with suspicious payloads. Review logs from April onward for signs of reconnaissance or exploitation attempts.
Upgrade immediately: Update to the patched version of LiteLLM and ensure Starlette is at v1.0.1 or later. If you can't patch immediately, take the vulnerable instance offline or place it behind a web application firewall configured to block command injection patterns.
Test your incident response: Use this as a tabletop exercise. How would your team discover you were running a vulnerable version? How long would it take to patch? Who has authority to take a production AI service offline? Document the gaps you find.
The federal deadline is June 22. Your deadline should be sooner.
CVE Details
