@osbytesSomeone deployed LiteLLM so engineers could hit one OpenAI-shaped endpoint and forget which vendor bills what. That was a fair trade until CISA put CVE-2026-42208 on the Known Exploited Vulnerabilities catalog and the proxy stopped looking like a routing detail. The advisory is blunt: in affected builds (>=1.81.16, <1.83.7) an unauthenticated caller could reach SQL shaped around a bearer token during API-key verification, before the proxy even finished deciding who was allowed in. Fix path is 1.83.7 or newer; maintainers recommend 1.83.10-stable, with disable_error_logs: true offered only as a damage-limiting hack if you truly cannot patch yet (LiteLLM write-up).
That is not "yet another app vuln" in the usual sense. Gateways like this routinely hold virtual keys, upstream provider credentials, spend controls, and environment-backed config in one place because that is how multi-provider routing stays usable. One SQL injection does not just leak rows; it tees up credential rotation across every model account the proxy ever touched, plus log review for weird bearer headers and finance asking what ran up the bill during the gap. Sysdig saw exploitation attempts on roughly the 36-hour scale after disclosure; they did not claim confirmed downstream compromise, which is the honest boundary for public reporting. KEV still means defenders cannot pretend this is theoretical inventory.
High-value secrets funneled through shortcuts predated LLM gateways; shared reverse proxies and identity plumbing drew attackers long before ChatGPT wrappers did. What matters here is the bug sat on the authentication path, and timing (KEV plus public chatter) narrowed the patching window.
The rest of the stack news that day lined up quietly with the same pattern: friction drops, credentials show up somewhere nobody filed a ticket about. CCCS issued AL26-011 covering CVE-2026-43284 and CVE-2026-43500 ("Dirty Frag"): local user to root via a chained pair of issues, public proof-of-concept already circulating, no universal stable fix across every distro yet on advisory day. Attacker needs code execution first (multitenant breakouts, bad CI tenants, boxed low-priv accounts), then gets root. Canonical spelled the awkward work: unload esp4/esp6 and rxrpc where you can, and stop assuming cheap shared hosting stays separated when exploits ship before kernels do. Uneven rollout after a flashy PoC is an old ops headache; Dirty Frag adds a nickname and module names, not a new shape of urgency.
GitHub shipped org-scoped secrets for Copilot cloud agents. Codex 0.130.0 added operator-facing remote control surfaces, richer telemetry hooks, and Bedrock auth paths. Together with GitHub’s changelog on Copilot review metrics (types in the usage API) these look like bookkeeping until you ask who assigns which repos an agent reaches and what counts as prod config. GitHub also flagged Grok Code Fast 1 retiring in Copilot against xAI’s cutoff date: model choice is calendar work now, same as patching a JDBC driver.
If you touch platform work, apply the outward-reach checklist you already use on proxies and ingress: Can an LLM gateway be hit from hosts that should never talk to it? Patch past 1.83.7, rotate keys if exposure looked plausible, map kernel modules on shared hosts when public PoCs outrun distro cherry-picks, and list agent secret scopes and model cutoff dates beside other production dependencies instead of leaving glue off the inventory spreadsheet.
Sources
- CISA KEV: CVE-2026-42208
- GHSA-r75f-5x8p-qvmc: LiteLLM SQL injection
- LiteLLM: CVE-2026-42208 update
- Sysdig: exploitation attempts timeline
- CCCS alert AL26-011 (Dirty Frag)
- Canonical: Dirty Frag guidance
- GitHub Changelog: Copilot agent secrets and variables
- GitHub Changelog: Copilot review comment types in metrics API
- OpenAI Codex v0.130.0
- GitHub Changelog: Grok Code Fast 1 deprecation
- xAI May 15 retirement
- GitHub Changelog: CodeQL 2.25.3
- CodeQL CLI 2.25.3 changelog
- Tailwind CSS v4.3.0