GHSA-v4p8-mg3p-g94g: LiteLLM: Authenticated command execution via MCP stdio test endpoints
Summary
LiteLLM had a security flaw in two test endpoints (`POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list`) that allowed authenticated users to run arbitrary commands on the server. These endpoints accepted server configurations including command and arguments, and would execute them as subprocesses with the proxy's privileges, even for users with low-level permissions.
Solution / Mitigation
Fixed in version 1.83.7. Both test endpoints now require the `PROXY_ADMIN` role (a permission level for administrators only). As a temporary workaround, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway (the server that sits between users and the application to filter traffic).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-v4p8-mg3p-g94g
First tracked: April 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%