All articles
Threat IntelligenceApril 2026·9 min read

LiteLLM Flaw Allowed Host Takeover via Insecure Test Endpoints

A critical vulnerability in the popular LLM proxy allowed any authenticated user to execute arbitrary commands, highlighting the security risks of multi-agent control plane software.

LiteLLM Flaw Allowed Host Takeover via Insecure Test Endpoints

Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

GHSA-v4p8-mg3p-g94g

Identifier

Critical

Severity

Authenticated Network

Attack Vector

LiteLLM

Affected Product

A critical remote code execution vulnerability was discovered in LiteLLM, a widely used tool for managing and translating requests to various large language models. The flaw allowed any user with a valid API key to run arbitrary commands on the server hosting the LiteLLM proxy. This issue exposed a significant security gap in a key piece of agentic AI infrastructure, turning a low-privilege key into full control over the host machine [1].

The Agentic Control Plane Compromised

LiteLLM serves as a unified interface for over 100 LLM APIs. Its Multi-Call Parallelism (MCP) server feature is designed for complex, agentic workflows. This feature allows developers to route and manage simultaneous calls from multiple sources, such as different autonomous agents or microservices. The MCP server acts as a central nervous system for these operations.

This vulnerability strikes at the heart of that system. An attacker who gains control of the MCP server can observe, modify, or disrupt all agent communications passing through it. They could also use the compromised host as a launchpad for lateral movement within the network. The flaw effectively breaks the trust boundary between individual agents and the central orchestrator, a foundational security assumption in many agentic architectures.

Deconstructing the Attack Chain

The attack exploits two internal testing endpoints: `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list`. These endpoints were intended to let administrators preview an MCP server configuration before saving it. An attacker needs only a valid LiteLLM proxy API key to access them. Crucially, any key was sufficient, including low-privilege keys intended for internal users or simple, single-purpose agents [2].

An attacker would craft a POST request to one of these endpoints. The request body contains a JSON object that mimics a server configuration. The vulnerability lies in how the endpoints handled configurations for the `stdio` transport type. By supplying a `stdio` configuration, an attacker could specify a command, arguments, and environment variables.

When the test endpoint processed this malicious configuration, it attempted to establish a connection. This action spawned the attacker-supplied command as a subprocess on the proxy host. The command ran with the same permissions as the LiteLLM proxy process itself. A simple payload could establish a reverse shell, giving the attacker interactive command-line access to the compromised server.

OPERATOR ACTION

Update LiteLLM to version 1.83.7 or newer to patch this vulnerability.

Root Cause: A Missing Role Check

The fundamental flaw was a missing authorization check. The vulnerable endpoints correctly verified that a valid API key was provided, granting authentication. However, they failed to perform a role check to ensure the key holder was authorized to perform administrative actions. The endpoints should have required the `PROXY_ADMIN` role, just as the main configuration-saving endpoint does.

This oversight created a classic privilege escalation scenario. Any authenticated user could perform an action reserved for administrators. In the context of agentic systems, this meant a key assigned to a sandboxed, read-only agent could be used to take over the entire orchestration platform. The fix, implemented in version 1.83.7, was to add the missing `PROXY_ADMIN` role check to both test endpoints [3].

Why Standard Defenses Struggle

This type of vulnerability can be difficult to detect with traditional security tools. The attack payload is a syntactically valid JSON object sent to a legitimate application endpoint. A Web Application Firewall (WAF) would likely not flag the request as malicious, as it conforms to the expected data format. The traffic is also encrypted if the service uses TLS.

Endpoint Detection and Response (EDR) tools on the host might also be challenged. An EDR agent would see a process being spawned by the trusted LiteLLM proxy process. While spawning a shell or an unknown command is suspicious, it might not be immediately blocked if the parent process is on an allowlist. Sophisticated attackers could further disguise their actions by executing commands that blend in with normal administrative activity, evading behavior-based detection.

Detection and Mitigation Playbook

The most effective mitigation is to upgrade LiteLLM to version `1.83.7` or a newer stable release. This patch correctly restricts access to the vulnerable endpoints. If an immediate upgrade is not feasible, administrators should block all POST requests to `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` at a reverse proxy or API gateway. This workaround prevents attackers from reaching the vulnerable code.

To detect potential past or ongoing compromise, security teams should audit access logs for their LiteLLM instance. Search for any POST requests made to the two test endpoints. Investigate the source IP and API key associated with any such requests. On the host, review process execution logs for any unexpected child processes spawned by the LiteLLM service. A baseline of normal process activity is essential for spotting these anomalies.

This incident also underscores the importance of API key hygiene. While proper permissions would not have prevented this specific attack due to the missing role check, limiting key exposure and adhering to the principle of least privilege remains a critical security control. Regularly rotate keys and ensure each key has only the permissions required for its specific function.

The Fragility of Agentic Infrastructure

As organizations build increasingly complex systems of autonomous agents, the software that connects and orchestrates them becomes a critical security chokepoint. Tools like LiteLLM's MCP server are powerful enablers of this new computing model. They are also highly attractive targets for attackers.

A vulnerability in a central orchestrator creates a much larger blast radius than a flaw in a single application. Compromising the control plane can lead to the failure of an entire fleet of agents. This incident serves as a stark reminder that the security of agentic AI systems depends on the security of every component in the stack, especially the foundational layers that manage communication and control.

References

  1. GitHub Security Advisory (GHSA-v4p8-mg3p-g94g). https://github.com/advisories/GHSA-v4p8-mg3p-g94g (accessed 2026-04-28).
  2. Vendor security advisory (github.com). https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g (accessed 2026-04-28).
  3. github.com. https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable (accessed 2026-04-28).

Disclosure

This briefing is auto-generated by Helixar Research Labs from public threat-intelligence feeds, drafted by an editorial language model, and validated by deterministic linters. It has not been reviewed by a named human author. The content is informational only and does not constitute legal, regulatory, or operational security advice. Product names, vendor advisories, and CVE identifiers belong to their respective owners. Verify any technical or remediation detail directly against the cited primary source before acting on it. Helixar makes no warranty, express or implied, regarding accuracy, completeness, or fitness for any specific purpose.

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press