The Gateway Holding All Your AI Keys Is Under Active Attack, CISA Warns

The one box that holds every AI key your company owns

Many companies that run AI at scale send their requests through a single piece of software called an AI gateway, a proxy that sits between their applications and the dozen large language model providers they call. It pools the API keys, tracks the spending, and routes traffic so engineers do not have to wire up each provider by hand. The most widely used open-source version of that gateway is LiteLLM. On Monday, June 8, 2026, the US cybersecurity agency confirmed that attackers are exploiting a flaw in it.

The reason this lands harder than a routine bug report is where the gateway sits. It is the one machine that holds the keys to every model an organization pays for. Compromise it and you do not walk away with one secret. You walk away with all of them.

What happened

The US Cybersecurity and Infrastructure Security Agency (CISA, the federal body that tracks bugs already being used in attacks) added the flaw, tracked as CVE-2026-42271, to its Known Exploited Vulnerabilities catalog, the list it reserves for vulnerabilities under active exploitation. The bug carries a severity rating of 8.7 out of 10. LiteLLM's maintainer, BerriAI, first disclosed it in April. It affects every version of the LiteLLM package from 1.74.2 up to the 1.83.7 release that fixes it.

The mechanism is a textbook command injection, a flaw that lets an attacker run their own operating-system commands on the target machine. LiteLLM offered two endpoints to test an MCP server (Model Context Protocol, the standard connector that lets an AI assistant reach outside tools) before saving it. Those test endpoints accepted a full server configuration in the request, including the command to launch. When the configuration used the local stdio mode, the gateway dutifully ran that command as a process on its own host, with its own privileges. The only gate in front of it was a valid API key, with no check on what that key was allowed to do. So any logged-in user, even one holding the lowest-privilege key, could hand the gateway a command and have it executed.

• Researchers at Horizon3.ai chained the bug with a second flaw, a host-header bypass in Starlette (the lightweight Python web framework LiteLLM uses to handle requests) nicknamed BadHost, to remove the login requirement altogether. Combined, the two become remote code execution that needs no credentials at all, a maximum severity of 10.0.
• A successful attack lets an intruder steal the model-provider credentials and every API key the proxy stores, then pivot into the AI infrastructure and the downstream systems wired to the gateway.
• CISA has ordered federal civilian agencies to patch by June 22, 2026. There is no public detail yet on who is behind the attacks or how many systems have been hit.

Why your AI plumbing is now the target

The damage here is not a leaked chatbot transcript. It is the credential store at the center of a company's AI stack. To spare every team from juggling provider logins, the gateway pools them: the OpenAI key, the Anthropic key, the cloud credentials, the billing access, all in one service. That convenience is exactly what makes it worth attacking, because one remote code execution against the proxy hands over the whole set at once, and from there an intruder can move into whatever internal tools the gateway was trusted to reach. If your engineering team stood up LiteLLM to tame AI sprawl, the uncomfortable question is whether that box is now the least-defended machine holding your most sensitive keys. The broader pattern is the part worth carrying into a planning meeting. This is the second LiteLLM flaw weaponized in a month, after a database-injection bug that attackers turned around within 36 hours in April, and it follows a supply-chain attack that planted malicious LiteLLM packages on the Python package index in March. The AI plumbing that organizations bolted on in a hurry over the past two years has become its own attack surface, and attackers have noticed it is often deployed faster than it is secured.

What to do about it

1. Patch LiteLLM to 1.83.7 or later and Starlette to 1.0.1 or later. The fixed gateway requires an admin role to reach the test endpoints and closes the host-header bypass, which together break both the direct attack and the no-credential chain.
2. If you cannot patch today, block the test endpoints and rotate the keys. Cut off the two MCP test endpoints at your reverse proxy, restrict the gateway to trusted network segments, and rotate every credential the proxy holds, because a flaw under active exploitation means you should assume those secrets may already be exposed.
3. Stop treating the AI gateway as ordinary infrastructure. Give it its own network segment and monitoring, and watch its logs for unexpected subprocesses and odd Host headers, because a machine holding every model key deserves the same scrutiny as a password vault.

Bottom line

CVE-2026-42271 is not exotic. It is a plain command-injection bug in a convenience tool, the kind of thing that would barely register on an ordinary web server. What makes it serious is the job the server does. An AI gateway exists to gather every model credential in one place, which is precisely why a single flaw in it earns a maximum severity score. The lesson for the next architecture review is short. The software you deployed to manage AI is now infrastructure an attacker wants, so defend it like the vault it has quietly become, and check today whether the version you are running is one a stranger can already run code on. The authoritative details are in the CISA advisory and BerriAI's own security advisory.