When he starts tomorrow, I hope Vogt has him on a short leash

with the central so tight we can't afford to give up games

RCE in LiteLLM (CVE-2026-42208): How Two Vulnerabilities and 36 Hours Turn an AI Gateway into a Backdoor

Adversaries are increasingly targeting exposed AI middleware. LiteLLM, one of the most widely used open-source AI gateways, acts as an intermediary between an organization's applications and upstream model providers such as OpenAI, Anthropic, Bedrock, Vertex, Azure OpenAI, and many others. It translates calls into a unified interface, enforces rate limits, logs usage, and manages traffic routing.

Three properties make it an unusually high-value target:

1. It holds the keys to every model provider in the stack. A compromised LiteLLM proxy means stolen OpenAI, Anthropic, and cloud provider credentials — often with elevated quotas attached.
2. It logs prompts and responses by default. That includes whatever sensitive data the application is shipping into the model: customer PII, internal documents, code, credentials pasted into copilots.
3. It is overwhelmingly deployed to the internet. Most teams stand it up as a proxy at the edge so internal services and partner integrations can hit it. In production scans we routinely see LiteLLM instances answering on public IPs.

This guidance was co-authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK). Throughout this guidance, these organisations are referred to as the ‘authoring agencies’. This guidance discusses key cyber security challenges and risks associated with the introduction of agentic AI into IT environments, as well as best practices for securing agentic AI systems.

The authoring agencies strongly recommend aligning agentic AI risks and mitigation strategies with your organisation’s existing security model and risk posture. The authoring agencies further recommend adopting agentic AI with security in mind, assessing its use and never granting it broad or unrestricted access, especially to sensitive data or critical systems. Additionally, organisations should only use agentic AI for low-risk and non-sensitive tasks.

Scope and audience

This guidance primarily focuses on large language model (LLM)-based agentic AI systems. It considers both threats to and vulnerabilities within agentic AI systems, as well as risks arising from agentic AI behaviour. This includes risks introduced through system components, integrations and downstream use.

The authoring agencies developed this guidance to support government, critical infrastructure and industry stakeholders in understanding the key security challenges and risks posed by agentic AI. It provides practical guidance to help organisations that design, develop, deploy and operate agentic AI systems, to make informed risk assessments and mitigations. The guidance concludes with actionable recommendations to help organisations prepare for and defend against emerging and future agentic AI threats.