LiteLLM chains with BadHost for a CVSS 10.0 zero-auth path into your AI gateway — CISA deadline June 22

Yesterday's BadHost story covered how a single / in an HTTP Host header bypasses Starlette's path-based auth. Today, Horizon3.ai published the exploit chain that upgrades that auth bypass into zero-credential remote code execution against any LiteLLM deployment. The combined CVSS score is 10.0 Critical — the ceiling.

The LiteLLM flaw (CVE-2026-42271, CVSS 8.7). Two endpoints for previewing MCP server connections before saving — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accept a full server config in the request body, including the command, args, and env fields used by the stdio transport. Any authenticated user can pass arbitrary OS commands and have them executed on the host.

The chain. BadHost (CVE-2026-48710) removes the "authenticated" requirement entirely on Starlette ≤1.0.0 deployments. Send a malformed Host header, bypass path-based auth, then call the MCP preview endpoint with your chosen command. Result: run arbitrary code on the LiteLLM host with no credentials whatsoever. The attacker then has access to every API key stored in the proxy, can impersonate any downstream model provider, and can move laterally through connected AI infrastructure.

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities (KEV) catalog on June 9, citing confirmed active exploitation in the wild, and directed US federal agencies to remediate by June 22, 2026. That's 10 days.

Remediation is two-step: update LiteLLM to 1.83.7+ and Starlette to 1.0.1+ — both patches are required because the chain exploits both vulnerabilities. If you cannot patch immediately, block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy or API gateway. For any internet-accessible LiteLLM instance, this is not optional.

Sources: Horizon3.ai: CVE-2026-42271 chained with CVE-2026-48710, The Hacker News, SOCRadar: CISA KEV update, Help Net Security, rescana: active exploitation alert