CVE-2026-42208 added to KEV

LiteLLM proxy servers just got pushed into the same bucket as the internet’s most urgent enterprise bugs. CISA added CVE-2026-42208 to the Known Exploited Vulnerabilities catalog after signs of real-world abuse, which means this is no longer a theoretical flaw in an AI toolchain. It is a live security problem in a product that often sits between users and expensive model credentials. The change matters because LiteLLM proxy is exactly the kind of software teams expose internally or even publicly to centralize model access. ### What broke in LiteLLM? The bug sits in LiteLLM Proxy’s API key verification path. Basically, a database query handled a caller-supplied key unsafely instead of passing it as a separate parameter. That opened the door to SQL injection. GitHub’s advisory says an unauthenticated attacker could reach the vulnerable query by sending a crafted `Authorization` header to LLM API routes like `/chat/completions`. (cisa.gov) ### Why is “pre-auth” the scary part? Because the attacker does not need a valid account first. That changes the whole risk profile. A bug behind login is bad; a bug in the auth path itself is worse, because the thing meant to check trust becomes the entry point. In this case, successful exploitation could let an attacker read data from the proxy database and possibly modify it, which can lead to unauthorized access to the proxy and the credentials it manages. (github.com) ### Which versions are affected? LiteLLM says versions `v1.81.16` through `v1.83.6` are affected. The fix landed in `v1.83.7`, and the project’s recommended safe target is `v1.83.10-stable`. So this is not a vague “update when convenient” situation — there is a clean patched floor, and teams can check quickly whether they are below it. ### Why did CISA step in? KEV is CISA’s short list of vulnerabilities that are being actively exploited and should jump to the front of the patch queue. (cisa.gov) For federal civilian agencies, KEV inclusion is not just advice under Binding Operational Directive 22-01 — it comes with a remediation deadline. The catalog entry for CVE-2026-42208 shows a due date of May 11, 2026. Even outside government, KEV is widely used as a practical signal that attackers are already converting a bug into operations. (docs.litellm.ai) ### Does this mean attackers are targeting AI infrastructure now? Yes — and that is the bigger pattern here. LiteLLM is not a model provider; it is middleware that brokers access to many models and stores the keys, configs, and routing logic that make an AI stack work. That makes the proxy a high-leverage target. If an attacker gets into that layer, they may not just steal one secret — they may get visibility into a whole organization’s model usage and credentials. (cisa.gov) ### Is there public exploit detail already? There is enough public detail for defenders to take this seriously. The GitHub advisory explains the attack path, and public lab repos and threat-intel writeups appeared within days showing local proof-of-concept setups and describing exploitation after disclosure. That does not prove every exposed LiteLLM instance is being hit, but it does mean the barrier to copycat abuse is low. (cisa.gov) ### What should teams do right now? Upgrade LiteLLM Proxy to at least `1.83.7`, with `1.83.10-stable` the recommended target. Then check whether any proxy endpoints are internet-exposed, rotate credentials the proxy manages if compromise is plausible, and review logs for suspicious `Authorization` header activity against LLM routes. If the proxy database was reachable through this bug, assume secrets and configuration data may have been exposed. (github.com) ### What is the real takeaway? The bottom line is simple: an AI gateway bug just graduated into a known-exploited vulnerability. That tells you something important about where attackers see value now. They are not only chasing endpoints and VPNs anymore — they are moving toward the control planes that sit in front of models, budgets, and API keys. (cisa.gov) (docs.litellm.ai)