Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
LiteLLM CVE-2026-42208 SQL Injection Exploited Within 36 Hours of Disclosure
Advertisements

A critical SQL injection vulnerability in BerriAI’s LiteLLM Python package was observed being exploited in the wild within 36 hours of becoming public. Tracked as CVE-2026-42208 and rated 9.3 on the CVSS scale, the flaw affects LiteLLM versions 1.81.16 and later and can expose sensitive database contents, including credentials managed by the proxy.

LiteLLM maintainers said the problem stemmed from a database query used during proxy API key checks. According to the advisory, the caller-supplied key value was mixed directly into the query text instead of being passed as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to an LLM API route, such as POST /chat/completions, and reach the vulnerable query through the proxy’s error-handling path.

The issue was fixed in version 1.83.7-stable, which was released on April 19, 2026. But even after the patch became available, exploitation attempts followed quickly. Sysdig recorded the first observed attempt on April 26 at 16:17 UTC, about 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database.

How the vulnerability works

The source material describes the flaw as an SQL injection in LiteLLM’s proxy database handling. The vulnerable query was part of proxy API key checks, and the error-handling path allowed untrusted input to reach that query. Because the attack is unauthenticated, an adversary did not need valid credentials to attempt exploitation.

LiteLLM maintainers recommended immediate patching to the latest version. If patching is not possible right away, they advised setting disable_error_logs: true under general_settings to remove the path through which untrusted input reaches the vulnerable query.

What attackers targeted

According to Sysdig, the initial SQL injection activity came from IP address 65.111.27[.]132. The malicious activity unfolded in two phases driven by the same operator across two adjacent egress IPs, followed by a brief unauthenticated probe of key-management endpoints. In the second phase, observed about 20 minutes later, the threat actor used a different IP address, 65.111.25[.]67, to run a similar probe.

The attacker is said to have targeted database tables including litellm_credentials.credential_values and litellm_config. These tables store information related to upstream large language model provider keys and the proxy runtime environment. No probes were observed against litellm_users or litellm_team, which suggests the operator was specifically focused on tables containing sensitive secrets.

  • CVE identifier: CVE-2026-42208
  • Severity: CVSS 9.3
  • Affected versions: 1.81.16 and later
  • Fixed in: 1.83.7-stable
  • Observed exploitation: within 36 hours of disclosure

Why the risk is significant

LiteLLM is an open-source AI Gateway with more than 45,000 stars and 7,600 forks on GitHub. Sysdig noted that a single litellm_credentials row can contain highly sensitive material, including an OpenAI organization key with five-figure monthly spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential. That makes the impact of database extraction far broader than a typical web application SQL injection.

The project had already been targeted last month in a supply chain attack attributed to the TeamPCP hacking group, which aimed to steal credentials and secrets from downstream users. The newly observed exploitation of CVE-2026-42208 adds another serious event for operators relying on the software to centralize cloud and LLM credentials.

What administrators should do now

Users are advised to patch instances to the latest available version as soon as possible. If immediate patching cannot be done, LiteLLM’s maintainers recommend disabling error logs using the configuration setting noted above to reduce exposure to the vulnerable query path.

Sysdig said the 36-hour exploit window reflects a broader pattern in which critical vulnerabilities in AI infrastructure are quickly acted on after disclosure. In this case, the advisory and the open-source schema were enough for exploitation attempts to begin without waiting for a public proof of concept.

In short, CVE-2026-42208 shows how quickly a newly disclosed flaw can become an active threat when it affects software that manages high-value credentials. Administrators running affected LiteLLM versions should review their exposure and apply the fix without delay.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading