Critical SQL Injection Vulnerability in LiteLLM Exploited Within 36 Hours of Disclosure
In a recent cybersecurity incident, a critical SQL injection vulnerability identified in BerriAI’s LiteLLM Python package was actively exploited within 36 hours of its public disclosure. This flaw, designated as CVE-2026-42208 with a CVSS score of 9.3, allows unauthorized modification of the LiteLLM proxy database.
The vulnerability arises from improper handling of user-supplied input during proxy API key checks. Specifically, the application incorporated the caller-supplied key value directly into the SQL query text instead of treating it as a separate parameter. This oversight enables unauthenticated attackers to send specially crafted Authorization headers to any LLM API route, such as POST /chat/completions, triggering the vulnerable query through the proxy’s error-handling path. Consequently, attackers can read and potentially modify data within the proxy’s database, leading to unauthorized access to the proxy and the credentials it manages.
The affected versions include those from 1.81.16 up to, but not including, 1.83.7. The issue was addressed in version 1.83.7-stable, released on April 19, 2026. Despite the prompt release of this patch, the first recorded exploitation attempt occurred on April 26 at 16:17 UTC, approximately 26 hours after the GitHub advisory was indexed in the global GitHub Advisory Database. This malicious activity originated from the IP address 65.111.27[.]132.
Security researcher Michael Clark from Sysdig reported that the attack unfolded in two phases, both driven by the same operator using adjacent egress IPs. The initial phase involved targeting database tables such as litellm_credentials.credential_values and litellm_config, which contain sensitive information related to upstream large language model (LLM) provider keys and the proxy’s runtime environment. Notably, there were no probes against tables like litellm_users or litellm_team, indicating the attacker’s specific interest in tables holding sensitive secrets.
Approximately 20 minutes later, the second phase commenced from a different IP address, 65.111.25[.]67, involving similar probing activities. This rapid succession of attacks underscores the attacker’s awareness and intent to exploit the vulnerability swiftly.
LiteLLM is a widely used open-source AI Gateway software, boasting over 45,000 stars and 7,600 forks on GitHub. In the previous month, the project was targeted in a supply chain attack by the TeamPCP hacking group, aiming to steal credentials and secrets from downstream users.
The potential impact of this vulnerability is significant. A single entry in the litellm_credentials table can contain an OpenAI organization key with substantial monthly spending limits, an Anthropic console key with workspace administrative rights, and an AWS Bedrock IAM credential. Therefore, a successful database extraction could result in a compromise comparable to a cloud account breach rather than a typical web application SQL injection.
Users are strongly advised to update their LiteLLM instances to the latest version to mitigate this vulnerability. If immediate patching is not feasible, maintainers recommend setting disable_error_logs: true under general_settings to eliminate the pathway through which untrusted input reaches the vulnerable query.
This incident highlights a concerning trend in AI infrastructure security: critical, pre-authentication vulnerabilities in widely trusted software are being exploited rapidly after disclosure. The 36-hour window between disclosure and exploitation aligns with broader patterns observed in the cybersecurity landscape, emphasizing the need for prompt patching and vigilant monitoring.
