CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog on June 8, 2026, confirming active exploitation of both. The two entries are CVE-2026-42271 (BerriAI LiteLLM Command Injection) and CVE-2026-50751 (Check Point Security Gateway Improper Authentication).
CVE-2026-42271 — BerriAI LiteLLM Command Injection
CVSS: 8.7 (High)
Affected Versions: LiteLLM 1.74.2 through 1.83.6
Fixed In: LiteLLM v1.83.7
The flaw is a command injection vulnerability that allows any authenticated user — including holders of low-privilege internal-user keys — to run arbitrary commands on the host.
Two MCP preview endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, accepted full server configurations in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, these endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
Exploit Chain — Unauthenticated RCE
Horizon3.ai chained CVE-2026-42271 with CVE-2026-48710 (CVSS 6.5), a “BadHost” host header validation bypass in the Starlette ASGI framework, to completely sidestep authentication and achieve unauthenticated remote code execution. CVE-2026-48710 can bypass the authentication mechanism entirely in LiteLLM deployments running Starlette versions ≤ 1.0.0.
Successful exploitation of this chain allows attackers to run arbitrary commands on the LiteLLM host, access model provider credentials, siphon API keys and secrets stored by the proxy, move laterally into connected AI infrastructure, and compromise downstream systems integrated with the gateway.
Context: This is the second LiteLLM KEV entry in roughly a month. CVE-2026-42208 (CVSS 9.3), a critical SQL injection flaw in LiteLLM, came under active exploitation within 36 hours of public disclosure and was added to KEV in May 2026.
Detection Indicators
Monitor process trees on LiteLLM proxy hosts for child processes not matching the expected MCP server allowlist — especially shells (sh, bash), interpreters (python, node), or network tools (curl, wget, nc). Correlate authentication events with subprocess execution timestamps, and flag any LiteLLM instance running between versions 1.74.2 and 1.83.6.
Remediation: Upgrade to LiteLLM v1.83.7. Restrict access to MCP management endpoints. Rotate any exposed API keys and model provider credentials. Review GitHub Security Advisory GHSA-v4p8-mg3p-g94g for full vendor detail.
CVE-2026-50751 — Check Point Security Gateway Improper Authentication
CVSS: 9.3 (Critical)
CWE: CWE-287 (Improper Authentication)
Exploitation Active Since: May 7, 2026
FCEB Patch Deadline: June 11, 2026
The vulnerability stems from a logic flow weakness in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange, allowing an unauthenticated remote attacker to establish a VPN session without providing valid credentials.
Four conditions must be simultaneously present for exploitation: Remote Access VPN or Mobile Access must be enabled, IKEv1 must be active for remote access, the gateway must accept legacy remote access clients, and it must not require a machine certificate for connections.
Affected Versions
Security Gateways: R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS). Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X.
Active Exploitation & Threat Actor
A Qilin ransomware affiliate exploited the flaw for roughly a month before a patch was available, targeting dozens of organisations. The flaw has also been linked to concurrent targeting of Palo Alto, Fortinet, and F5 infrastructure.
Related Vulnerability — CVE-2026-50752
During investigation using Check Point’s agentic AI code security platform BLAST, a second flaw was identified: CVE-2026-50752 (CVSS 7.4), which impacts certificate validation in the same deprecated IKEv1 implementation and could allow man-in-the-middle interference with site-to-site VPN communications. No in-the-wild exploitation observed to date.
Remediation
Hotfixes for R81.20, R82, and R82.10 are available from Check Point’s Security Knowledge Base article SK185033. R80.20.X, R80.40, R81, and R81.10 are end-of-support and will not receive hotfixes — organisations on those versions must upgrade. If patching is delayed, disable IKEv1 entirely as an interim measure.
