CVE-2026-30623 in LiteLLMinfo

Summary

by MITRE • 07/16/2026

LiteLLM 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application allows users to add MCP servers via a JSON configuration specifying arbitrary command and args values. LiteLLM executes these values on the host without validation, enabling attackers to run arbitrary operating system commands. Successful exploitation may result in remote code execution with the privileges of the LiteLLM process.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in LiteLLM version 1.18.10 represents a critical remote code execution flaw that arises from insufficient input validation within the MCP server creation functionality. This issue stems from the application's design to accept JSON configuration files that specify command and argument values for MCP servers, creating an attack surface where untrusted data flows directly into system execution contexts without proper sanitization or verification mechanisms.

The technical implementation of this vulnerability manifests through the direct execution of user-supplied commands within the host operating system environment. When LiteLLM processes the JSON configuration containing arbitrary command and args parameters, it fails to validate or sanitize these inputs before invoking system-level execution functions. This primitive execution pattern exposes the underlying system to malicious input that can include shell commands, system utilities, or any executable code that the hosting process has permission to run.

From an operational perspective this vulnerability presents severe implications for systems running LiteLLM, as it allows remote attackers to execute arbitrary commands with the privileges of the LiteLLM process. The impact extends beyond simple command execution to potentially enable full system compromise, data exfiltration, privilege escalation, or lateral movement within network environments where the application operates. Attackers can leverage this vulnerability to establish persistent access, deploy malware, or perform reconnaissance activities without requiring additional authentication mechanisms.

The vulnerability aligns with CWE-78, which specifically addresses OS Command Injection, and represents a classic example of insufficient input validation leading to arbitrary code execution. This weakness falls under the ATT&CK framework's technique T1059.007 for Command and Scripting Interpreter, where adversaries execute commands through legitimate system interfaces. The attack surface is particularly concerning given that the vulnerability exists in a server configuration mechanism designed for legitimate administrative purposes, making it difficult to detect unauthorized exploitation attempts.

Mitigation strategies should prioritize immediate patching of the affected LiteLLM version to address the input validation deficiencies and prevent arbitrary command execution. Organizations should implement strict input validation policies that sanitize all user-supplied configuration parameters before system execution. Network segmentation and process isolation can help limit the impact if exploitation occurs, while monitoring systems should be deployed to detect unusual command execution patterns or unauthorized configuration changes. Additionally, privilege separation techniques should ensure that the LiteLLM process operates with minimal required permissions rather than elevated privileges that could amplify the impact of successful exploitation attempts.

Responsible

MITRE

Reservation

03/04/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!