The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in BerriAI's LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence that attackers are exploiting it in the wild.
The flaw, tracked as CVE-2026-42271, is a command injection vulnerability in the widely used AI infrastructure tool. What makes it particularly alarming is that the authenticated command injection can be chained to achieve fully unauthenticated remote code execution, effectively allowing attackers with no legitimate credentials to take control of affected systems.
LiteLLM is an open-source API gateway and proxy that simplifies interactions with large language models from major commercial and open-source providers. Organisations deploy it to manage API keys, route requests, and normalise interfaces across multiple LLM backends — a role that often places it in direct proximity to sensitive credentials and internal infrastructure.
From authenticated injection to full system compromise
CVE-2026-42271 starts as a flaw that any authenticated LiteLLM user could exploit to execute arbitrary commands on the underlying host. On its own, that would already be a serious issue for any multi-tenant or shared deployment. However, the chaining mechanism that escalates this to unauthenticated RCE is what transforms the vulnerability from a significant internal threat into an externally exploitable emergency.
The details of exactly how the chaining works have not been fully disclosed publicly, but the practical implication is clear: organisations running exposed or internet-facing LiteLLM instances face the risk of complete system compromise without needing valid credentials.
CISA's KEV listing signals broad urgency
While CISA's Binding Operational Directive 22-01 technically requires only U.S. federal civilian agencies to remediate KEV-listed vulnerabilities within specified deadlines, the catalog functions as a de facto priority list for the wider security community. Security teams across industries routinely treat KEV additions as a signal to assess and patch urgently, regardless of regulatory obligation.
The addition of CVE-2026-42271 underscores a growing concern around the security posture of AI infrastructure tooling. As organisations race to integrate LLMs into production workflows, middleware like LiteLLM becomes an attractive attack surface — sitting between users and model providers, often holding API keys and managing authentication flows.
What organisations should do
BerriAI has released patches addressing the vulnerability, and all users are urged to update to the latest available version immediately. Security teams should also audit their deployments for signs of compromise, particularly checking for unexpected processes, modified files, or outbound connections that could indicate command execution by an attacker.
For organisations running LiteLLM on internet-facing infrastructure, network segmentation and strict access controls should be treated as interim measures if patching cannot be done immediately.
The incident serves as a reminder that AI tools require the same rigour in vulnerability management as any other critical infrastructure component — and that authenticated-only flaws should never be dismissed as low risk, given how readily they can be escalated.
美國網絡安全和基礎設施安全局(CISA)已將 BerriAI 旗下 LiteLLM 中的一個高危漏洞添加到其已知被利用漏洞(KEV)目錄中,此前已確認有攻擊者正在實際環境中對其進行利用。
此漏洞被標記為 CVE-2026-42271,是一個存在於廣泛使用的 AI 基礎設施工具中的命令注入漏洞。尤為令人擔憂的是,這種經過身份驗證的命令注入漏洞可被利用鏈串連,從而實現完全未經身份驗證的遠程代碼執行,實質上使得無合法憑證的攻擊者能夠控制受影響的系統。
LiteLLM 是一個開源的 API 閘道器和代理,可簡化與來自主要商業及開源供應商的大型語言模型之間的交互。企業組織部署它以管理 API 密鑰、路由請求以及規範化跨多個大型語言模型後端的介面——這一角色通常使其直接接觸敏感憑證和內部基礎設施。
從身份驗證注入到完全系統淪陷
CVE-2026-42271 最初是一個任何經身份驗證的 LiteLLM 用戶都可能利用的漏洞,可在底層主機上執行任意命令。單獨而言,這對於任何多租戶或共享部署來說都已是一個嚴重問題。然而,將其升級為未經身份驗證的遠程代碼執行的利用鏈機制,才是將此漏洞從一個重大的內部威脅轉變為可從外部利用的緊急事件的關鍵。
關於該利用鏈確切運作方式的細節尚未完全公開披露,但其實際影響很明確:運行暴露於互聯網或面向互聯網的 LiteLLM 實例的企業組織,面臨在無需有效憑證的情況下被完全控制系統的風險。
CISA 的 KEV 列表標誌著廣泛緊迫性
雖然 CISA 的約束性操作指令 22-01 從技術上只要求美國聯邦文職機構在指定期限內修復列入 KEV 的漏洞,但該目錄實際上為更廣泛的安全社區充當了一份優先級列表。跨行業的安全團隊通常將新增的 KEV 漏洞視為需要緊急評估和修補的信號,無論是否有監管義務。
CVE-2026-42271 的加入凸顯了人們對 AI 基礎設施工具安全態勢日益增長的擔憂。隨著企業組織爭相將大型語言模型整合到生產工作流程中,像 LiteLLM 這樣的中間件成為一個誘人的攻擊面——它位於用戶和模型提供商之間,通常持有 API 密鑰並管理身份驗證流程。
企業組織應採取的措施
BerriAI 已發布修補此漏洞的補丁,敦促所有用戶立即更新至最新可用版本。安全團隊還應審計其部署是否存在受損跡象,特別是檢查異常程序、文件修改或可能表明攻擊者已執行命令的出站連接。
對於在面向互聯網基礎設施上運行 LiteLLM 的企業組織,如未能立即安裝修補程式,則應將網絡分段和嚴格的存取控制視為臨時措施。
此事件提醒我們,AI 工具需要與任何其他關鍵基礎設施組件一樣嚴格的漏洞管理——並且,鑑於其可輕易被升級利用,絕不應將僅需身份驗證的漏洞視為低風險而忽視。