On June 8, 2026, CISA added CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM, to the Known Exploited Vulnerabilities catalog. This is the second LiteLLM CVE added to the KEV in 60 days. CVE-2026-42208, a SQL injection flaw with a CVSS score of 9.8, was exploited within 36 hours of its public disclosure and added to the KEV on May 8.
Two KEV additions in two months from a single AI infrastructure tool is not coincidence. It is a pattern worth naming clearly.
What LiteLLM is
LiteLLM is an open-source AI gateway proxy developed by BerriAI. It is widely used by organizations deploying multiple LLM providers, allowing teams to standardize API calls, apply rate limits, track token usage, manage authentication, and route requests across OpenAI, Anthropic, Azure OpenAI, Google, and other providers from a single interface.
It is, in other words, the layer that sits between your applications and your AI providers and controls access to all of them. It has administrative interfaces, database connections, logging pipelines, and in many deployments, direct network access to internal systems.
CVE-2026-42208: SQL injection, exploited in 36 hours
CVE-2026-42208 is a SQL injection vulnerability in LiteLLM with a CVSS score of 9.8. When it was publicly disclosed, attackers began exploiting it within 36 hours. CISA added it to the KEV catalog on May 8, 2026.
SQL injection at CVSS 9.8 in an AI gateway proxy that has database access and potentially internal network access is exactly as serious as it sounds. Organizations that had not patched within the first day of disclosure were potentially exposed to data exfiltration, authentication bypass, and lateral movement through the AI infrastructure layer.
CVE-2026-42271: command injection, actively exploited
CVE-2026-42271 is a command injection vulnerability in LiteLLM added to the CISA KEV on June 8. Command injection at the gateway layer means an attacker with access to the vulnerability can execute arbitrary commands on the system running LiteLLM with the permissions of the LiteLLM process.
In most production deployments, that means access to environment variables containing API keys for every LLM provider the organization uses, configuration files with internal network routing details, and the network context of the gateway host.
The structural problem
The two CVEs together reveal something that is worth stating plainly: attackers are actively targeting the AI infrastructure layer, and many security teams are not watching it.
LiteLLM deployments often fall into a security gap. They are deployed and managed by AI and platform teams rather than security teams, so they may not be included in the organization's vulnerability management program. They are not the application, so application security reviews may not cover them. They are not the model provider, so vendor security assessments do not apply.
The result is an administrative interface with broad access to AI providers, internal network connectivity, database connections, and logging systems that may be patched months behind the application stack.
What to do
Patch LiteLLM to the latest version immediately. Both CVE-2026-42208 and CVE-2026-42271 have fixes available. If you are not on the latest version, you may be exposed to both vulnerabilities.
Treat LiteLLM and any AI gateway proxy as Tier 1 infrastructure. Include it in your vulnerability management program, patch cadence, and security monitoring. Apply network segmentation to restrict what systems the gateway can reach. Rotate any API keys that may have been exposed if your LiteLLM deployment was not patched promptly after May 8.
If you are evaluating AI infrastructure tooling, apply the same security due diligence to gateway proxies that you apply to web application frameworks. These systems have broad access and are actively targeted.
The broader point
The AI security conversation has spent two years focused on model behavior: prompt injection, jailbreaks, hallucination, bias. Those are real problems worth addressing. But the fastest-moving attack surface right now is the infrastructure around the model.
LiteLLM is not the only AI infrastructure tool with exploited vulnerabilities. It is the most visible recent example of a pattern that will continue as AI infrastructure matures and attackers shift their attention from the models to the plumbing.
Secure the plumbing.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your team needs help auditing AI infrastructure security posture.