top of page
Search

LiteLLM Just Got Its Second CISA KEV Entry in 31 Days. We Indexed the Poisoned Versions Back in March.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3m
  • 3 min read

CISA added a second LiteLLM vulnerability to its Known Exploited Vulnerabilities catalog on June 8. That's two entries for the same AI gateway in thirty-one days — and it's worth saying out loud what kind of component keeps landing on the federal must-patch list.


LiteLLM is a proxy. Its entire job is to sit in front of every model an organization uses and hold the keys — OpenAI, Anthropic, the internal endpoints, all of it routed through one process that authenticates callers and manages credentials. It is exactly the kind of quiet plumbing that AI teams stand up in a week and forget about. CISA has now flagged it twice as actively exploited.



The two entries, and why the order matters


On May 8, CISA listed [CVE-2026-42208](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-42208) — a SQL injection in LiteLLM, CVSS 9.8. The catalog language is precise about the stakes: it "allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the credentials it manages." Read the credentials it manages. For a key-broker, that's the whole prize.


On June 8, CISA listed [CVE-2026-42271](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-42271) — a command injection. This one lets "any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host." Not read the database. Run commands on the box.


Put them in sequence and you have an escalation, not two unrelated bugs. May was steal the keys. June is own the machine the keys live on — and the bar dropped from "attacker with access to the database" to "anyone holding even a low-privilege internal key." That is the trajectory you do not want for the one process sitting in front of all your model traffic.



We were 45 days ahead of the first one — and we can show the timestamps


This is the part we keep receipts for. Our index flagged litellm as compromised on March 24, 2026. Six days later, on March 30, we indexed the specific poisoned releases — litellm==1.82.7 and litellm==1.82.8 — pulled by our maltrail and GitHub-hunt feeds and written to our indicators index as supply-chain threats. CISA's first LiteLLM KEV entry landed May 8. That's a 45-day gap between "we named the poisoned versions" and "the federal catalog said patch it," and we wrote it up on May 10 the day the first entry posted.


We are not claiming we found CVE-2026-42271 — CISA and the vendor advisory chain did, and credit goes there. What we're claiming is narrower and verifiable: the AI-gateway layer has been a live, indexed threat in our corpus since March, and the federal catalog is now catching up to it for the second time in a month.



What it actually means


The lesson isn't "patch LiteLLM," though you should — anything past 1.82.x, on the fixed releases, today. The lesson is about where the attack surface moved. For years the KEV-class targets were the perimeter boxes: the VPN concentrator, the firewall, the file-transfer appliance. LiteLLM is none of those. It's an AI-infrastructure component, the gateway your agents and apps call, and it has now earned repeat entries on the same list as the edge appliances.


If you run an LLM proxy or gateway — LiteLLM or anything in its category — treat it like the credential vault it is, not like a dev convenience:


  • Pin and patch it on the cadence you'd give a public-facing VPN, because that's the threat tier it's in now.

  • Scope the keys it brokers. CVE-2026-42271 turns a low-privilege internal-user key into host command execution; least-privilege on those keys is the difference between a contained incident and a full compromise.

  • Assume the keys it holds are the target. Rotate on any suspicion, and watch for the SQL-injection-then-command-injection pattern the two CVEs describe.

The edge isn't just the firewall anymore. It's the gateway in front of your models. We've had that one indexed since March — the catalog just listed it twice to make the point.


Credit where due: CISA's KEV catalog and the BerriAI advisory chain for the disclosures; our part is the timeline and the lead-time ledger, kept honest with timestamps.




The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page