top of page

CVE-2026-42208: LiteLLM SQL Injection Vulnerability Exploited Within 36 Hours of Public Disclosure

  • Apr 29
  • 3 min read

Key Findings


  • Critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM Python package exploited within 36 hours of public disclosure

  • Affects versions 1.81.16 through 1.83.6; patched in version 1.83.7 released April 19, 2026

  • First exploitation attempt recorded April 26 at 16:17 UTC from IP 65.111.27.132

  • Threat actor demonstrated precise knowledge of LiteLLM database schema, targeting high-value credential tables

  • No confirmed data theft or credential misuse detected, though attackers successfully mapped sensitive database structures

  • LiteLLM is widely trusted infrastructure with 45,000+ GitHub stars managing cloud-grade credentials worth five-figure monthly spend amounts


Background


LiteLLM is a popular open-source AI Gateway software that acts as a centralized proxy for managing API keys and credentials across multiple large language model providers. The platform has become a critical piece of infrastructure for organizations managing access to services like OpenAI, Anthropic, and AWS Bedrock. Last month, the project was already targeted by the TeamPCP supply chain attack group, making this vulnerability particularly concerning given its access to high-value secrets.


The Vulnerability


The flaw lies in how LiteLLM handles API key verification during proxy requests. Instead of safely parameterizing the caller-supplied API key before inserting it into a database query, the code directly concatenates the user input into the query string. An unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API route, such as POST /chat/completions. The malicious input reaches the vulnerable query through the proxy's error-handling path, allowing an attacker to read and potentially modify database contents without any valid credentials.


Rapid Exploitation Timeline


Security researchers at Sysdig detected the first exploitation attempt just 26 hours and 7 minutes after the GitHub advisory was indexed. This represents an unusually fast weaponization compared to historical patterns. The attacker used a different IP address (65.111.25.67) approximately 20 minutes after the initial probe, suggesting a coordinated campaign rather than opportunistic scanning.


Attacker Sophistication and Intent


What stands out about this exploitation is the attacker's precision. Rather than running generic automated SQL injection tools like SQLmap, the threat actor demonstrated intimate knowledge of LiteLLM's database schema. They specifically targeted three tables: litellm_credentials.credential_values, litellm_config, and bypassed tables like litellm_users and litellm_team. Each targeted table contains extremely sensitive information - OpenAI organization keys with five-figure monthly spend caps, Anthropic workspace admin credentials, and AWS Bedrock IAM credentials.


The attacker employed deliberate column-count enumeration and schema mapping techniques, showing this was a custom, purposeful attack rather than script-kiddie activity.


Limited Observed Impact


Despite successful database access, researchers found no evidence of follow-through exploitation. No authenticated API calls were made using exfiltrated credentials, no new virtual API keys were generated via the /key/generate endpoint, and no stolen provider credentials were reused. This suggests the attacker may have been conducting reconnaissance or proof-of-concept work rather than attempting full compromise.


Broader Implications


This incident exemplifies a troubling trend in AI infrastructure security. The vulnerability represents the typical pattern Sysdig identified: critical, pre-authentication flaws in widely-trusted software managing cloud-grade credentials. The 36-hour exploitation window aligns with documented collapse of zero-day disclosure windows across the industry. The attacker's ability to weaponize the vulnerability without a public proof-of-concept demonstrates that advisory documentation and open-source schema information alone are sufficient for determined threat actors to build functional exploits.


Mitigation Options


Users should immediately upgrade to version 1.83.7-stable or later. For those unable to patch immediately, BerriAI recommends enabling disable_error_logs: true under general_settings to block the attack vector by preventing untrusted input from reaching the vulnerable query path.


Sources


  • https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html

  • https://securityaffairs.com/191483/hacking/cve-2026-42208-litellm-bug-exploited-36-hours-after-its-disclosure.html

  • https://x.com/TheHackersNews/status/2049362698765517141

  • https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure

  • https://news.backbox.org/2026/04/29/litellm-cve-2026-42208-sql-injection-exploited-within-36-hours-of-disclosure/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page