CISA added LiteLLM command injection to the KEV catalog on June 8, 2026. Langflow's earlier RCE was exploited in 20 hours. The AI agent supply chain is now a federal target — patch, isolate, and stop exposing these proxies.

LiteLLM and Langflow are now on CISA's exploited-vulnerabilities list

CISA added two new entries to its Known Exploited Vulnerabilities (KEV) catalog on June 8, 2026, and both should give any team running AI infrastructure a cold sweat. CVE-2026-42271 is a command-injection flaw in BerriAI's LiteLLM, the most popular LLM proxy in the Python ecosystem. CVE-2026-50751 is the same day, same KEV batch — and it sits in Check Point's VPN gateway, which is its own five-alarm fire. But the LiteLLM and Langflow stories run in parallel: the AI agent supply chain is now officially a federal target.

What You Need to Know: CISA added a LiteLLM command-injection vulnerability to its Known Exploited Vulnerabilities catalog on June 8, 2026, putting federal agencies on a patch clock. Langflow's earlier RCE bug is still under remediation, and both attacks show that the AI agent supply chain is now a top-tier target.

Why It Matters

CISA KEV means federal deadlines. Once a CVE lands in the KEV catalog, U.S. federal civilian agencies have a binding remediation window. For LiteLLM that clock started ticking on June 8. Private companies are not legally bound, but the KEV designation is a strong "patch now" signal that boards and insurers pay attention to.
LiteLLM is everywhere. BerriAI's LiteLLM is the de-facto LLM proxy — the abstraction layer that lets apps call OpenAI, Anthropic, Google, and 100+ other models through one API. The version range affected (1.81.16 to before 1.83.7) covers a huge slice of in-flight deployments.
Langflow's RCE was exploited in 20 hours. The earlier unauthenticated RCE in Langflow (CVE-2026-33017) was weaponized within 20 hours of disclosure. The bug allowed any unauthenticated user to execute arbitrary Python by hitting the public /build_public_tmp endpoint.
The supply chain is the new perimeter. Both libraries sit in front of LLM credentials, model weights, and customer data. Compromising them gives attackers the keys to the AI castle — without ever touching the model provider directly.

What Actually Happened

LiteLLM CVE-2026-42271 lands on CISA KEV on June 8, 2026

CISA's June 8, 2026 advisory (direct link) added CVE-2026-42271 to the KEV catalog. The vulnerability is described as a command-injection flaw in BerriAI LiteLLM "that could allow any authenticated" user to execute commands on the host. The fix shipped in LiteLLM 1.83.7.

CVE-2026-42271 is a sibling of the earlier CVE-2026-42208, a pre-auth SQL injection in the same product with a CVSS of 9.3. That bug was exploited within 36 hours of disclosure. The Hacker News reporting noted attackers used it to expose LiteLLM credentials and pivot to cloud account compromise. If you were running 1.81.16 → 1.83.6, you were on borrowed time the moment the advisory went public in April 2026.

The Cloud Security Alliance's research note called CVE-2026-42208 "a critical (CVSS 9.3) pre-authentication SQL injection vulnerability in LiteLLM — a widely deployed AI gateway." The KEV listing for 42271 in June is CISA saying: same problem, different flavor, still active exploitation.

Langflow's CVE-2026-33017: unauthenticated RCE in 20 hours

The Langflow bug hit in March 2026. Sysdig's writeup documents the timeline: public disclosure on March 16, exploitation in the wild within 20 hours. The endpoint, /api/v1/build_public_tmp, was designed to be unauthenticated so users could preview public flows — but it accepted attacker-supplied flow data, which was passed to exec() with zero sandboxing. That's textbook pre-auth RCE.

GitHub's advisory record describes the path explicitly: "This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution." The fix went out in Langflow 1.5.1, but anything earlier is exposed, and the window for mass scanning was brutal.

Mercor, a $10 billion AI hiring startup, confirmed a supply-chain breach through LiteLLM in the weeks after the disclosure — proof that mid-2026 is when attackers started treating LLM proxies the same way they treated Log4j endpoints in 2021.

What "added to KEV" actually means

CISA's Known Exploited Vulnerabilities Catalog is the binding list for federal civilian agencies (FCEB). Once a CVE is in the catalog, agencies have a remediation deadline (typically a few weeks). For everyone else, the practical effect is: insurers, auditors, and procurement teams treat KEV entries as a red flag. If you're selling into federal supply chains, KEV inclusion is a procurement event.

The Take

LiteLLM and Langflow are the Log4j moment for AI infrastructure. They sit in front of every LLM call, they expose a wide surface to the network, and their user base skews developer — meaning lots of self-hosted instances with default configs. If you're running either, you should be on a patched version, behind a WAF, and ideally not exposed to the public internet at all.

The bigger pattern: every time CISA adds an AI-adjacent CVE to KEV, it tells you attackers have already automated the exploitation. They don't care that LiteLLM is "new tech" — they care that it's a Python service with a network endpoint and a known unauthenticated code path. Patch.

Quick Summary

CISA added LiteLLM command injection to the KEV catalog on June 8, 2026. Langflow's earlier unauthenticated RCE was exploited in 20 hours. The AI agent supply chain is now a top-tier federal target — patch, isolate, and stop exposing these proxies to the internet.

LiteLLM and Langflow are now on CISAs exploited-vulnerabilit