What Happened
BerriAI's LiteLLM, a proxy layer for managing multiple LLM providers, contained a command injection vulnerability (CVE-2026-42271) that allowed authenticated users to execute arbitrary commands on the host system. The flaw affected LiteLLM versions 1.74.2 through 1.83.6.
When combined with CVE-2026-48710 in the Starlette web framework, attackers could achieve unauthenticated remote code execution. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in production environments.
Timeline
Initial Disclosure: BerriAI released patches for LiteLLM versions below 1.83.7.
Severity Assessment: CVE-2026-42271 received a CVSS score of 8.7 (High).
Exploit Chain Discovery: Security researchers identified that combining CVE-2026-42271 with Starlette's CVE-2026-48710 enabled unauthenticated RCE, elevating the combined CVSS score to 10.0 (Critical).
Active Exploitation: CISA confirmed exploitation in the wild and mandated federal agencies patch by a specific deadline.
Current Status: Patches are available in LiteLLM v1.83.7 and later.
Which Controls Failed or Were Missing
Dependency Inventory: Organizations running affected versions lacked visibility into their Python dependency trees. LiteLLM's reliance on Starlette wasn't tracked or monitored for security updates.
Input Validation: The command injection vulnerability indicates missing input sanitization controls. User-supplied data reached system command execution functions without proper validation or escaping.
Authentication Bypass Prevention: The Starlette vulnerability allowed attackers to circumvent authentication entirely, suggesting missing controls to prevent unauthenticated access to sensitive endpoints.
Vulnerability Scanning: Organizations using LiteLLM in production didn't detect the vulnerability before exploitation, pointing to gaps in Software Composition Analysis (SCA) or delayed scanning cycles.
Patch Management: The window between patch availability and exploitation suggests organizations lacked processes for emergency patching of critical infrastructure components.
What the Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates identifying security vulnerabilities using industry-recognized sources and assigning a risk ranking. For AI infrastructure processing payment data, maintain an inventory of all dependencies and their CVE exposure.
OWASP ASVS v4.0.3 Section 1.14 requires verification that all components are up to date and that a software bill of materials (SBOM) exists. Your LiteLLM deployment should document every dependency, including Starlette, with version pinning and automated update checks.
NIST 800-53 Rev 5 Control SI-2 (Flaw Remediation) requires installing security-relevant software updates within time periods defined by organizational risk assessment. For a vulnerability with a CVSS 10.0 exploit chain, your incident response plan should trigger emergency patching within 24-48 hours.
ISO/IEC 27001:2022 Control 8.8 (Management of Technical Vulnerabilities) requires obtaining information about technical vulnerabilities in a timely fashion and evaluating exposure. This control failed when teams didn't monitor for LiteLLM security advisories or GitHub security alerts.
SOC 2 Type II CC7.1 (Common Criteria 7.1) requires detecting, identifying, and responding to security incidents. Organizations that discovered exploitation through CISA's KEV catalog rather than their own monitoring failed this control.
Lessons and Action Items for Your Team
Build Your Dependency Tree Today
Run pip-audit or safety check against your Python environments. For LiteLLM specifically, run pip show litellm and pip show starlette to confirm versions. Document every dependency three levels deep—CVE-2026-48710 proves that your dependencies' dependencies matter.
Implement Automated SCA
Add Dependabot, Snyk, or Mend to your CI/CD pipeline. Configure it to fail builds when high-severity CVEs appear in production dependencies. Set Slack or PagerDuty alerts for critical findings—don't wait for weekly reports.
Create a Dependency Patching SLA
Define maximum time-to-patch windows by CVSS score:
- CVSS 9.0-10.0: 24 hours
- CVSS 7.0-8.9: 7 days
- CVSS 4.0-6.9: 30 days
Document your rationale and get stakeholder sign-off. When CISA adds a vulnerability to KEV, treat it as CVSS 10.0 regardless of the published score.
Pin Your Dependencies with Upper Bounds
Your requirements.txt should look like this:
litellm>=1.83.7,<1.84.0
starlette>=0.38.0,<0.39.0
This prevents automatic updates that introduce breaking changes while ensuring you stay within patched ranges. Review and bump these bounds monthly.
Segment Your AI Infrastructure
LiteLLM proxies shouldn't run on systems with direct internet exposure. Place them behind API gateways with rate limiting and authentication. Use network policies to restrict which services can reach your LLM proxy—command injection is less severe when the compromised container can't pivot.
Test Your Exploit Chain Exposure
The CVE-2026-42271 and CVE-2026-48710 chain demonstrates why you need to test combinations, not just individual vulnerabilities. Run quarterly exercises where your security team attempts to chain known CVEs in your stack. If you can chain them, so can attackers.
Monitor CISA's KEV Catalog Automatically
CISA publishes the KEV catalog as a JSON feed at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. Write a script that checks this daily and cross-references against your SBOM. When you find a match, trigger your emergency patch process.
The LiteLLM incident proves that AI infrastructure requires the same rigorous dependency management as traditional applications. Your LLM proxy isn't special—it's Python code with dependencies that need patching. Treat it accordingly.
