LiteLLM Proxy KEV deadline tomorrow (2026-05-11) — patch and rotate every upstream key

CVE-2026-42208 (pre-auth SQL injection in LiteLLM Proxy, CVSS 9.3) was added to CISA KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11 — tomorrow (Bishop Fox — CVE-2026-42208 technical analysis, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). Patching alone is insufficient — every upstream LLM-provider API key (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.) stored in the proxy's database must be rotated, since pre-patch exposure means credentials may already be exfiltrated. Move to LiteLLM v1.83.7+ and audit upstream-provider call logs for anomalous geographic origins / call-volume spikes since 2026-04-30.