LiteLLM is under active siege. Your AI gateway is the target.

LiteLLM — the open-source AI gateway routing traffic for OpenAI, Anthropic, Google, and Azure — just got hit with two separate critical vulnerability chains in one month.

CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8.

Chained with a Starlette authentication bypass, it becomes unauthenticated remote code execution.

CVSS 10.0. No credentials required. Anyone who can reach the gateway owns it.

Then Obsidian Security dropped a second attack chain on June 15.

Three CVEs. Low-privilege user to root. CVSS 9.9. Patches for the first chain don't fix this one.

Here's what makes this existential for your enterprise.

LiteLLM sits between your data and every model provider you use.

A compromised gateway hands the attacker every API key, every prompt, every response.

All of them. At once.

CISA called it "sustained targeting of AI gateway infrastructure."

That's not boilerplate. That's the language they reserve for documented, repeated, intentional attacks.

The test endpoints that enabled the first exploit exist because someone left development interfaces accessible in production.

The governance that would have prevented this was never applied to the AI layer.

Audit every LiteLLM deployment in your environment today.

Upgrade to v1.83.14-stable immediately — anything earlier leaves you exposed to one or both chains.

Rotate every API key the gateway has ever touched.

Then ask your team one question: who owns the AI gateway's access?

If no one can answer, you have an unmanaged privileged account with the keys to your entire AI stack.

Audit your gateway posture now.

SOURCE: https://dailysecurityreview.com/cyber-security/obsidian-finds-cvss-9-9-attack-chain-in-litellm-ai-gateway
VERIFIED: CISA KEV catalog (June 8, 2026), Obsidian Security disclosure (June 15, 2026), CSA Research Note CVE-2026-42271 (June 13, 2026)
SIGNAL: AI gateways are now priority targets. Two critical chains in 30 days. If you're running LiteLLM without v1.83.14, you're already exposed.