AI Security Week: May 13, 2026

This is an analysis-and-commentary digest. Verify every CVE identifier, fixed-version number, date, and quantitative figure below against the primary source — NVD, the project’s own security advisories, or the official regulatory text — before relying on it. This week has unusually concrete items, so each is tied to a primary source you should confirm yourself.

LiteLLM pre-auth SQL injection makes the CISA KEV catalog

The most actionable item this week is a real, exploited vulnerability in a widely deployed piece of LLM infrastructure. CVE-2026-42208 ↗ is a pre-authentication SQL injection in LiteLLM, the open-source proxy server / AI gateway that many teams put in front of their model APIs. Per the NVD record, a database query used during proxy API-key checks mixed the caller-supplied key value into the query text instead of binding it as a parameter, so an unauthenticated attacker could send a crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach the vulnerable query through the proxy’s error-handling path. NVD lists it as CRITICAL (CVSS v3.1 9.8 / CVSS v4.0 9.3) and affecting versions 1.81.16 up to (but not including) 1.83.7 — confirm the exact range against the advisory before you assess your own exposure.

Two details make this worth your attention beyond the score:

• It was exploited fast. Public reporting (Sysdig’s threat-research write-up, among others) documented the first exploitation attempt within roughly 36 hours of the advisory becoming widely indexed, with the attacker going straight for the tables holding virtual API keys and provider credentials — precision, not opportunistic scanning.
• It’s in CISA’s KEV. The U.S. Cybersecurity and Infrastructure Security Agency added it to the Known Exploited Vulnerabilities catalog ↗, which sets a federal-agency remediation deadline and is a strong “patch now” signal for everyone else.

Defender’s reading: an AI gateway is a crown-jewel target precisely because it concentrates every downstream provider credential in one place. Inventory whether you run LiteLLM, confirm your version against the patched release, and — because this class leaks stored secrets — rotate the credentials the proxy held rather than only patching. The durable lesson is the boring one: an LLM proxy is ordinary web infrastructure with extraordinarily valuable contents, and it deserves ordinary web-security hygiene (parameterized queries, least-privilege DB access, secret rotation).

Microsoft: when prompt injection becomes remote code execution

Microsoft’s security team published an analysis (May 7, 2026 ↗) walking through how prompt injection in an AI agent framework can escalate into host-level remote code execution — the gap between “the model said something bad” and “the model ran something bad.” The write-up centers on two vulnerabilities in Microsoft’s own Semantic Kernel SDK that have NVD records you can verify:

• CVE-2026-26030 ↗ — an RCE in the Semantic Kernel Python SDK’s InMemoryVectorStore filter functionality, fixed in 1.39.4, listed CVSS 9.9 CRITICAL.
• CVE-2026-25592 ↗ — an arbitrary file write in the Semantic Kernel .NET SDK’s SessionsPythonPlugin, fixed in 1.71.0, listed CVSS 9.9 CRITICAL.

We frame the durable lesson rather than re-reporting the exploit mechanics: the dangerous surface in an agent system is the path from model output to a privileged action. A vector-store filter that interpolates model-influenced strings into evaluated code, or a plugin that exposes a file-write primitive to the model, is exactly the “the model proposes, a deterministic check disposes” boundary that excessive-agency designs skip. If you build on any agent framework, the action is to enumerate every primitive your tools expose to the model — eval-like behavior, file writes, downloads, shell — and put a non-model authorization check in front of the consequential ones. Confirm the CVE details and your own SDK versions against NVD and the vendor advisory.

Policy: the EU AI Act gets a provisional “Omnibus” reshape

On May 7, 2026, Council and Parliament negotiators reached a provisional political agreement on a package — widely referred to as the AI/Digital “Omnibus” — that both delays and adjusts parts of the EU AI Act. Reporting of the deal (and the official EU communications around it) indicates the high-risk-system obligations under Annex III would be postponed from August 2, 2026 to December 2, 2027, with several other application dates shifting as well, alongside new prohibitions targeting AI-generated non-consensual intimate imagery and CSAM, and simplification measures.

We deliberately treat the specific dates as provisional and subject to formal adoption — a political agreement is not yet final law, and the official Act overview ↗ plus the EU institutions’ own publications are authoritative. The durable, vendor-independent action is unchanged regardless of which dates land: classify which of your systems fall into which risk tier, and track the specific application date for that tier against the official source. A timeline extension relieves schedule pressure; it does not change the security-relevant obligations (risk management, logging, robustness, human oversight) you should be mapping controls against now.

Incident Tracking

The credible, concrete pattern this week is exploitation of LLM-serving infrastructure, evidenced by the LiteLLM KEV listing and rapid in-the-wild exploitation. The defensive takeaway: treat the proxy/gateway layer of your AI stack as a high-value web application, not as glue code. Patch CVE-2026-42208 if you run LiteLLM, rotate the credentials it stored, and confirm every detail above against NVD, the project advisory, and the CISA KEV catalog before acting.

---

AI security tooling comparisons at bestaisecuritytools.com ↗. CVE tracking for ML infrastructure at mlcves.com ↗.

See also

• AI Security Week: May 10, 2026
• Understanding the OWASP LLM Top 10