A command injection vulnerability in BerriAI LiteLLM, tracked as CVE-2026-42271, allows any authenticated user — including holders of low-privilege internal-user API keys — to execute arbitrary operating system commands on the host. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on June 8, 2026 with a federal agency remediation deadline of June 22, 2026.
What Is the Vulnerability?
CVE-2026-42271 is a command injection vulnerability in LiteLLM — an open-source library that provides a unified interface for calling LLM APIs from providers including OpenAI, Anthropic, Google, and others. LiteLLM is widely deployed in AI/ML application stacks as the API gateway between applications and LLM providers, handling authentication, rate limiting, cost tracking, and model routing.
The vulnerability allows any authenticated user — including those with only low-privilege internal-user API keys — to inject and execute arbitrary operating system commands on the host running LiteLLM. In typical AI/ML infrastructure deployments, the LiteLLM host has access to: API keys for multiple commercial LLM providers, cloud credentials (AWS, GCP, Azure) for model hosting and inference, and network access to internal AI/ML services and data stores. A compromised LiteLLM instance provides an attacker with a pivot point into both the AI infrastructure and the broader cloud environment.
- CVSS v3.1 Score: 8.8 (High — estimated)
- Attack Vector: Network — requires authenticated API access
- CISA KEV: Added June 8, 2026 — deadline June 22, 2026
Which Versions Are Affected?
- BerriAI LiteLLM — affected versions. Update to the latest patched release.
Is It Being Exploited in the Wild?
CISA KEV addition signals active exploitation concern, though the June 22 deadline (two weeks) is less aggressive than the 72-hour windows used for perimeter VPN vulnerabilities, suggesting the attack surface is smaller or the exploitation complexity is higher. However, the KEV addition still means organisations should patch proactively.
What Is the Fix?
Update LiteLLM to the latest patched version. After updating, rotate all API keys and credentials accessible from the LiteLLM host — provider API keys, cloud credentials, and any secrets stored in environment variables or configuration files accessible to the LiteLLM process.
Recommendations
Update LiteLLM within your normal patching cycle — do not defer beyond June 22. The KEV deadline provides time for testing, but the command injection capability on AI infrastructure warrants prompt attention.
Rotate credentials after patching. If your LiteLLM instance was running a vulnerable version, rotate all API keys and cloud credentials accessible from the host.
Review LiteLLM audit logs. Check for unexpected command execution patterns or API calls from low-privilege keys that performed administrative-level actions.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 9, 2026.
