BerriAI LiteLLM Command Injection Vulnerability
BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.
Quick answer
BerriAI LiteLLM should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 3.4
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Upgrade LiteLLM to the fixed release and lock down MCP, proxy, and administrative routes. LiteLLM commonly stores provider credentials and routing rules, so remediation should include secret rotation and review of model access logs.
- Inventory every LiteLLM proxy, gateway, container, Helm chart, and development deployment.
- Upgrade LiteLLM to the fixed release identified in the GitHub advisory or vendor release notes.
- Disable exposed MCP stdio test or administrative endpoints unless they are required and strongly authenticated.
- Place LiteLLM behind SSO, network allow-lists, TLS, and least-privilege API key controls.
- Rotate model provider keys, LiteLLM master keys, database credentials, environment secrets, and integration tokens.
- Review LiteLLM logs, subprocess execution traces, request history, and configuration changes for suspicious activity.
- Redeploy from clean images and verify runtime configuration does not mount unnecessary host paths or secret files.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the running LiteLLM version is the fixed release from the advisory.
- Validate MCP, admin, and proxy routes require approved authentication and are not publicly exposed.
- Check logs for unauthorized tool execution, unusual model calls, or secret access during the vulnerable period.
- Run integration tests for approved model routing after key rotation.
- Run a Fixnx scan against the public LiteLLM-facing site or API gateway after remediation.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-42271?
BerriAI LiteLLM versions listed as affected should be reviewed: 3.4.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
