CVE-2026-42271 Elastic Security · Elastic

Detect BerriAI LiteLLM Command Injection (CVE-2026-42271) in Elastic Security

Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=30s
  [network where network.direction == "inbound"
   and destination.port in (4000, 8000, 8080)
   and network.transport == "tcp"]
  [process where event.type == "start"
   and process.parent.name in ("python", "python3", "uvicorn", "gunicorn")
   and process.name in ("sh", "bash", "dash", "zsh", "cmd.exe", "powershell.exe", "python", "python3", "wget", "curl", "nc", "ncat")
   and (
     process.command_line like~ "*;*"
     or process.command_line like~ "*&&*"
     or process.command_line like~ "*||*"
     or process.command_line like~ "*`*"
     or process.command_line like~ "*$(*"
     or process.command_line like~ "*|*"
   )
  ]
critical severity high confidence

EQL sequence detecting an inbound network connection to common LiteLLM ports followed within 30 seconds by a suspicious child process spawned from a Python/uvicorn parent, characteristic of CVE-2026-42271 exploitation.

Data Sources

Elastic Endpoint SecurityElastic Agent

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate administrative shell commands executed by operators via the LiteLLM management interface
  • Automated health check scripts that spawn short-lived processes from the LiteLLM host
  • Development environments where LiteLLM is tested with shell-based tooling

Other platforms for CVE-2026-42271

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LiteLLM API Command Injection via Model Parameter

    Expected signal: Process creation event showing sh or bash child process under the uvicorn/gunicorn parent with command line containing the injected id command

  2. Test 2LiteLLM Out-of-Band Command Injection with Reverse Shell Attempt

    Expected signal: Network connection event showing outbound TCP to 127.0.0.1:9999 from the LiteLLM process, plus a bash process with -i flag spawned from the Python parent

  3. Test 3LiteLLM Config Endpoint Command Injection via Backtick Substitution

    Expected signal: Process creation event with backtick command substitution syntax in command line, spawned from the LiteLLM Python process

  4. Test 4Post-Exploitation Credential Harvesting via LiteLLM Injection

    Expected signal: Process creation event showing cat and tr commands spawned from LiteLLM parent, with file write event to /tmp/cve42271_env.txt

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-42271 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Execution

Popular Detections