GHSA-v4p8-mg3p-g94g
LiteLLM: Authenticated command execution via MCP stdio test endpoints
Details
### Impact
Two endpoints used to preview an MCP server before saving it — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
### Patches
Fixed in **`1.83.7`**. Both test endpoints now require the `PROXY_ADMIN` role, bringing them into line with the save endpoint.
### Workarounds
If upgrading is not immediately possible, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-42271 [ADVISORY]
- https://github.com/BerriAI/litellm [PACKAGE]
- https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable [WEB]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42271 [WEB]