LiteLLM CVE-2026-42208 SQL Injection Exploited Within 36 Hours of Disclosure
In yet another case of fearsome actors jumping on the bandwagon of an exploit, a newly disclosed critical bug in BerriAI’s LiteLLM Python package has come under widespread exploitation in the wild within 36 hours of the bug becoming public.
The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that can be used to modify the LiteLLM proxy database.
“The database query used during proxy API key testing mixed the caller-provided key value into the query text instead of passing it as a separate parameter,” LiteLLM maintainers said in an alert last week.
“An unauthenticated attacker can send a specially crafted authorization header to any LLM API route (for example, POST /chat/completions) and access this query through the proxy’s error handler. An attacker can read data from the proxy’s database and may be able to modify it, resulting in unauthorized access to the proxy and control authentication access.”
The shortfall affects the following versions –
While the vulnerability was addressed in version 1.83.7-stable released on April 19, 2026, the first exploit attempt was recorded on April 26 at 16:17 UTC, approximately 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory database. SQL injection activity, per Sysdig, from IP address 65.111.27[.]132.
“The malicious activity fell into two stages run by the same user on two adjacent IPs, followed by a brief unauthorized investigation of the administrative endpoints,” said security researcher Michael Clark.
Specifically, the unknown malicious actor is said to have targeted database tables such as “litellm_credentials.credential_values” and “litellm_config” that hold information related to the provider key of the large language model (LLM) and the proxy operating environment. No probes were found against tables like “litelm_users” or “litelm_team.”
This suggests that the attacker was not only aware of these tables, but also followed those that held sensitive secrets. In the second stage of the attack, observed 20 minutes later, the threat actor used a different IP address (“65.111.25)[.]67”), this time abusing access to conduct the same investigation.
LiteLLM is a popular, open source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub. Last month, the project was the target of a supply chain attack organized by the hacking group TeamPCP to steal information and secrets from downstream users.
“A single line of litelm_credentials typically holds the five-digit OpenAI organizational key used monthly, the Anthropic console key with workspace management privileges, and the AWS Bedrock IAM credentials,” Sysdig said. “The blast radius for a successful database extraction is closer to a critical cloud account than a typical SQL web application injection.”
Users are advised to update their settings to the latest version. If this is not a quick option, the maintainers recommend setting “disable_error_logs: true” under “general_settings” to remove the way untrusted entries access the vulnerable query.
“The LiteLLM vulnerability (GHSA-r75f-5x8p-qvmc) continues the modal pattern of AI infrastructure advisories: sensitive, pre-authorized, and five-star software that operators rely on to integrate cloud-grade credentials,” Sysdig added.
“The 36-hour exploit window is consistent with the extensive fall documented by the Zero Day Clock, and the user behavior we recorded (Prisma table names verbatim, indexing of three tables, deliberate column counting) indicates that the exploit is no longer waiting for a public PoC. Advisory and an adequate open source schema was the last sufficient schema.”
