Critical SQL Injection Vulnerability in LiteLLM Exploited: Immediate Action Required
A critical pre-authentication SQL injection vulnerability, identified as CVE-2026-42208, has been discovered in LiteLLM, a widely used open-source AI gateway with over 22,000 GitHub stars. This flaw is actively being exploited, allowing unauthorized attackers to extract sensitive cloud and AI provider credentials directly from the platform’s PostgreSQL database.
Understanding LiteLLM’s Role and the Vulnerability
LiteLLM serves as a central proxy for major language models such as OpenAI, Anthropic, and AWS Bedrock. It manages AI routing and billing, storing high-value secrets, including master API keys and enterprise cloud credentials. The vulnerability resides within the proxy’s verification process, specifically in how LiteLLM handles the `Authorization: Bearer` header. By inserting a single quote into a fake token like `sk-litellm’`, an attacker can break out of the intended query and execute malicious database commands before authentication occurs. This means any HTTP client that can reach the proxy port can exploit the flaw without needing valid credentials.
Rapid Exploitation and Targeted Data Theft
The Sysdig Threat Research Team detected the first exploitation attempt just 36 hours and seven minutes after the vulnerability was indexed in the global GitHub Advisory Database on April 24, 2026. Unlike noisy, automated vulnerability scanners, the attackers demonstrated advanced knowledge of LiteLLM’s internal structure. They launched targeted attacks against three specific tables: `LiteLLM_VerificationToken`, `litellm_credentials`, and `litellm_config`. These tables store the system’s most critical data, including virtual API keys, stored provider credentials, and environment configurations. The threat actors even adapted their payloads to match the exact case of the database schema, indicating a coordinated and deliberate data-extraction effort. This activity originated from two IP addresses (65.111.27.132 and 65.111.25.67) within the same autonomous system.
Immediate Patching and Credential Rotation
The maintainers of LiteLLM have released version 1.83.7, which addresses the vulnerability by properly securing the database queries. Organizations running any affected version (from 1.81.16 through 1.83.6) must apply this critical update immediately. Given that this attack requires no login and can be executed against any exposed instance, administrators should assume that vulnerable, internet-facing servers have already been compromised. Security teams must promptly rotate all virtual API keys, master keys, and stored provider credentials. Additionally, companies should actively monitor their upstream cloud billing accounts for unexpected API calls or unauthorized AI token consumption. Defenders should also audit web server logs for suspicious requests containing SQL keywords or the `sk-litellm’` payload.
Broader Implications and Preventative Measures
This incident underscores the critical importance of securing AI gateways, which have become major repositories for expensive cloud credentials. Organizations must treat these proxy environments as top-tier security targets. Securing these proxies behind internal networks and maintaining strict patch management are essential steps to prevent devastating corporate credential theft. Furthermore, this event highlights the need for robust input validation and parameterized queries to prevent SQL injection vulnerabilities. Regular security audits and penetration testing can help identify and remediate such vulnerabilities before they can be exploited.
Conclusion
The exploitation of CVE-2026-42208 in LiteLLM serves as a stark reminder of the ever-present threats in the cybersecurity landscape. Organizations must remain vigilant, promptly apply security patches, and implement comprehensive security measures to protect their systems and sensitive data.
