CVE-2026-42271

BerriAI LiteLLM Command Injection (CVE-2026-42271)

Execution Persistence Lateral Movement Last updated:

Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
BerriAI
Product
LiteLLM

Weakness (CWE)

CWE-78CWE-77

Timeline

Disclosed
June 8, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-42271 BerriAI LiteLLM Command Injection (CVE-2026-42271)?

BerriAI LiteLLM Command Injection (CVE-2026-42271) (CVE-2026-42271) maps to the Execution and Persistence and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for BerriAI LiteLLM Command Injection (CVE-2026-42271), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement
Microsoft Sentinel / Defender
kusto 
let suspiciousPatterns = dynamic([";", "&&", "||", "`", "$(", "|", ">", "<", "\n", "%0a", "%3b", "%26%26", "%7c"]);
let litellmPorts = dynamic(["4000", "8000", "8080"]);
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (litellmPorts))
   or (FileName in~ ("python", "python3", "sh", "bash", "cmd.exe", "powershell.exe") and InitiatingProcessFileName in~ ("python", "python3", "uvicorn", "gunicorn"))
| extend DecodedCmdLine = url_decode(ProcessCommandLine)
| where (ProcessCommandLine has_any (suspiciousPatterns) or DecodedCmdLine has_any (suspiciousPatterns))
   and (ProcessCommandLine contains "litellm" or InitiatingProcessCommandLine contains "litellm" or InitiatingProcessFileName =~ "uvicorn")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, LocalPort, RemoteIP
| order by TimeGenerated desc

Detects suspicious child process spawning or inbound connections on common LiteLLM ports combined with command injection metacharacters in process command lines, indicating potential CVE-2026-42271 exploitation.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Microsoft Sentinel DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate LiteLLM administrative scripts that pass shell-like arguments for model configuration
  • CI/CD pipelines running automated LiteLLM integration tests with parameterized commands
  • Security testing or red team exercises against LiteLLM instances

Sigma rule & cross-platform mapping

The detection logic for BerriAI LiteLLM Command Injection (CVE-2026-42271) (CVE-2026-42271) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-42271 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-42271

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LiteLLM API Command Injection via Model Parameter

    Expected signal: Process creation event showing sh or bash child process under the uvicorn/gunicorn parent with command line containing the injected id command

  2. Test 2LiteLLM Out-of-Band Command Injection with Reverse Shell Attempt

    Expected signal: Network connection event showing outbound TCP to 127.0.0.1:9999 from the LiteLLM process, plus a bash process with -i flag spawned from the Python parent

  3. Test 3LiteLLM Config Endpoint Command Injection via Backtick Substitution

    Expected signal: Process creation event with backtick command substitution syntax in command line, spawned from the LiteLLM Python process

  4. Test 4Post-Exploitation Credential Harvesting via LiteLLM Injection

    Expected signal: Process creation event showing cat and tr commands spawned from LiteLLM parent, with file write event to /tmp/cve42271_env.txt

Unlock Pro Content

Get the full detection package for CVE-2026-42271 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Execution

Popular Detections