Detect BerriAI LiteLLM Command Injection (CVE-2026-42271) in Google Chronicle
Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
YARA-L Detection Query
rule cve_2026_42271_litellm_command_injection {
meta:
author = "df00tech"
description = "Detects potential exploitation of CVE-2026-42271 in BerriAI LiteLLM via command injection"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.parent_process.file.full_path = /(?i)(uvicorn|gunicorn|litellm|python)/
$proc.target.process.file.full_path = /(?i)(sh|bash|dash|zsh|cmd\.exe|powershell\.exe|wget|curl|nc|ncat)/
(
$proc.target.process.command_line = /;/ or
$proc.target.process.command_line = /&&/ or
$proc.target.process.command_line = /\|\|/ or
$proc.target.process.command_line = /`/ or
$proc.target.process.command_line = /\$\(/ or
$proc.target.process.command_line = /%0[aA]/ or
$proc.target.process.command_line = /%3[bB]/
)
condition:
$proc
}Chronicle YARA-L rule detecting suspicious child process launches by LiteLLM-related parent processes with command injection metacharacters, targeting CVE-2026-42271 exploitation patterns.
Data Sources
Required Tables
False Positives & Tuning
- Automated LiteLLM deployment scripts that spawn shell processes as part of normal setup
- Container orchestration agents that fork shell processes from the Python parent
- Security tooling that monitors LiteLLM and spawns diagnostic shell commands
Other platforms for CVE-2026-42271
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LiteLLM API Command Injection via Model Parameter
Expected signal: Process creation event showing sh or bash child process under the uvicorn/gunicorn parent with command line containing the injected id command
- Test 2LiteLLM Out-of-Band Command Injection with Reverse Shell Attempt
Expected signal: Network connection event showing outbound TCP to 127.0.0.1:9999 from the LiteLLM process, plus a bash process with -i flag spawned from the Python parent
- Test 3LiteLLM Config Endpoint Command Injection via Backtick Substitution
Expected signal: Process creation event with backtick command substitution syntax in command line, spawned from the LiteLLM Python process
- Test 4Post-Exploitation Credential Harvesting via LiteLLM Injection
Expected signal: Process creation event showing cat and tr commands spawned from LiteLLM parent, with file write event to /tmp/cve42271_env.txt
Unlock Pro Content
Get the full detection package for CVE-2026-42271 including response playbook, investigation guide, and atomic red team tests.