LiteLLM Command Injection Chained with Starlette BadHost Bypass Hits CVSS 10.0

• POST /mcp-rest/test/connection

• POST /mcp-rest/test/tools/list

Both endpoints accept a complete MCP server configuration in the JSON request body, including the Cmd, args, and env fields that the stdio transport uses to launch server processes . When an authenticated user calls either endpoint with this configuration, LiteLLM takes the supplied Cmd value and spawns it as a subprocess on the host machine, running it with the same operating system privileges as the LiteLLM proxy process itself .

Originally, BerriAI disclosed this as an authenticated remote code execution bug—an attacker needed a valid API key to reach the endpoints, and there was no role-based check to restrict who could call them. Even a low-privilege internal user with any valid proxy API key could execute arbitrary commands on the host . But the story didn't end there.

The Starlette BadHost Bypass That Removes the Authentication Requirement

The second vulnerability is CVE-2026-48710, nicknamed "BadHost" by researchers. This is a host-header validation flaw in Starlette, the lightweight ASGI framework that underpins FastAPI, vLLM, and thousands of other Python web applications—including LiteLLM . All Starlette versions from 0.8.3 through 1.0.0 are affected .

The root cause is a parser disagreement between how Starlette routes incoming requests and how it reconstructs the URL for application logic . The ASGI routing layer uses the raw HTTP path from the request to decide which endpoint handles it. But request.url—the URL that application middleware and decorators see—is rebuilt by concatenating the raw Host header value with the request path, without proper validation .

By injecting URI authority-to-path delimiter characters such as ? or # into the Host header, an attacker can make request.url.path appear completely different from the actual routed path . The middleware sees a harmless path like /, while the router forwards the request to the real target endpoint behind the scenes. Any path-based authentication middleware that trusts request.url.path can be bypassed trivially .

Putting the Chain Together: From 8.7 to 10.0

LiteLLM's authentication decorator checks request.url.path to determine whether a request needs a valid API key. The BadHost bypass lets an attacker manipulate that URL so the authentication middleware sees a path that does not require authentication, while the ASGI router simultaneously dispatches the request to one of the vulnerable MCP command injection endpoints .

This removes the single access-control gate that stood between the internet and arbitrary command execution. An attacker with no credentials and no prior access to the network can send a single crafted HTTP request that bypasses authentication entirely and runs operating system commands on the LiteLLM proxy host . Horizon3.ai confirmed the full chain works and assigned it a combined CVSS score of 10.0—maximum severity—because it achieves unauthenticated remote code execution .

What Attackers Can Do With This Access

Successful exploitation gives attackers command execution with the privileges of the LiteLLM proxy process. From there, the threat surface expands quickly:

• Arbitrary command execution: Attackers can install backdoors, malware, cryptocurrency miners, or any other software the host process permissions allow .
• Credential theft at scale: The LiteLLM proxy sits between applications and dozens of LLM providers. It stores API keys for OpenAI, Anthropic, Azure, AWS Bedrock, Google, and other connected services in its database or environment variables . Exploiting this vulnerability lets attackers exfiltrate every stored credential in a single operation.
• Lateral movement through AI infrastructure: With stolen cloud API keys and shell access to the proxy host, attackers can pivot into connected services, internal MCP servers, vector databases, and downstream agent frameworks .
• Wider ecosystem implications: Starlette's BadHost flaw affects over 400,000 dependent projects, including FastAPI applications, vLLM servers, MCP server deployments, and AI agent frameworks. Any of these that use path-based authentication middleware on Starlette versions before 1.0.1 are similarly exposed to authentication bypass .

Why CISA's Move Raises the Urgency

CISA adding CVE-2026-42271 to the KEV catalog on June 8, 2026, confirms that the vulnerability is not theoretical—attackers are actively weaponizing it right now . Under the Binding Operational Directive 22-01, all U.S. federal civilian executive branch agencies must patch KEV-listed vulnerabilities within an assigned remediation timeframe. CISA also strongly recommends that all organizations, public and private, treat KEV additions as emergency patching priorities .

Immediate Remediation Steps

The fix for the chained exploit requires updates on two fronts, plus several defense-in-depth measures to address credential exposure:

1. Upgrade LiteLLM to version 1.83.7 or later. This release removes the MCP test endpoints' ability to execute user-supplied commands directly, closing the command injection vector entirely .
2. Upgrade Starlette to version 1.0.1 or later. The patch validates incoming Host headers against the URL specification and ignores headers that contain invalid characters, preventing the path-confusion trick that powers the authentication bypass .
3. Rotate every stored credential immediately. Assume that any API key, access token, or database credential the LiteLLM proxy has ever stored has been compromised. Rotate all OpenAI, Anthropic, Azure, AWS, and other provider keys, and check billing dashboards for unauthorized usage .
4. Block the endpoints at the reverse proxy or WAF. As a defense-in-depth measure while patches are rolling out, configure your reverse proxy or web application firewall to drop any request to

   POST /mcp-rest/test/connection

   and

   POST /mcp-rest/test/tools/list

   before they reach the application .
5. Audit for unauthorized access retrospectively. Check LiteLLM proxy logs for unusual activity on the MCP test endpoints, particularly requests from unexpected IP addresses or those with manipulated Host headers .

The combined CVSS 10.0 severity, active exploitation in the wild, and CISA's KEV designation mean organizations running LiteLLM or Starlette-powered services should treat this as an emergency patch-and-rotate event. The window between active exploitation and credential exfiltration is already open.