CVE-2026-42208: LiteLLM SQL Injection Vulnerability Exploited Within 36 Hours of Public Disclosure
- Apr 29
- 3 min read
Key Findings
Critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM Python package exploited within 36 hours of public disclosure
Affects versions 1.81.16 through 1.83.6; patched in version 1.83.7 released April 19, 2026
First exploitation attempt recorded April 26 at 16:17 UTC from IP 65.111.27.132
Threat actor demonstrated precise knowledge of LiteLLM database schema, targeting high-value credential tables
No confirmed data theft or credential misuse detected, though attackers successfully mapped sensitive database structures
LiteLLM is widely trusted infrastructure with 45,000+ GitHub stars managing cloud-grade credentials worth five-figure monthly spend amounts
Background
LiteLLM is a popular open-source AI Gateway software that acts as a centralized proxy for managing API keys and credentials across multiple large language model providers. The platform has become a critical piece of infrastructure for organizations managing access to services like OpenAI, Anthropic, and AWS Bedrock. Last month, the project was already targeted by the TeamPCP supply chain attack group, making this vulnerability particularly concerning given its access to high-value secrets.
The Vulnerability
The flaw lies in how LiteLLM handles API key verification during proxy requests. Instead of safely parameterizing the caller-supplied API key before inserting it into a database query, the code directly concatenates the user input into the query string. An unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API route, such as POST /chat/completions. The malicious input reaches the vulnerable query through the proxy's error-handling path, allowing an attacker to read and potentially modify database contents without any valid credentials.
Rapid Exploitation Timeline
Security researchers at Sysdig detected the first exploitation attempt just 26 hours and 7 minutes after the GitHub advisory was indexed. This represents an unusually fast weaponization compared to historical patterns. The attacker used a different IP address (65.111.25.67) approximately 20 minutes after the initial probe, suggesting a coordinated campaign rather than opportunistic scanning.
Attacker Sophistication and Intent
What stands out about this exploitation is the attacker's precision. Rather than running generic automated SQL injection tools like SQLmap, the threat actor demonstrated intimate knowledge of LiteLLM's database schema. They specifically targeted three tables: litellm_credentials.credential_values, litellm_config, and bypassed tables like litellm_users and litellm_team. Each targeted table contains extremely sensitive information - OpenAI organization keys with five-figure monthly spend caps, Anthropic workspace admin credentials, and AWS Bedrock IAM credentials.
The attacker employed deliberate column-count enumeration and schema mapping techniques, showing this was a custom, purposeful attack rather than script-kiddie activity.
Limited Observed Impact
Despite successful database access, researchers found no evidence of follow-through exploitation. No authenticated API calls were made using exfiltrated credentials, no new virtual API keys were generated via the /key/generate endpoint, and no stolen provider credentials were reused. This suggests the attacker may have been conducting reconnaissance or proof-of-concept work rather than attempting full compromise.
Broader Implications
This incident exemplifies a troubling trend in AI infrastructure security. The vulnerability represents the typical pattern Sysdig identified: critical, pre-authentication flaws in widely-trusted software managing cloud-grade credentials. The 36-hour exploitation window aligns with documented collapse of zero-day disclosure windows across the industry. The attacker's ability to weaponize the vulnerability without a public proof-of-concept demonstrates that advisory documentation and open-source schema information alone are sufficient for determined threat actors to build functional exploits.
Mitigation Options
Users should immediately upgrade to version 1.83.7-stable or later. For those unable to patch immediately, BerriAI recommends enabling disable_error_logs: true under general_settings to block the attack vector by preventing untrusted input from reaching the vulnerable query path.
Sources
https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
https://securityaffairs.com/191483/hacking/cve-2026-42208-litellm-bug-exploited-36-hours-after-its-disclosure.html
https://x.com/TheHackersNews/status/2049362698765517141
https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure
https://news.backbox.org/2026/04/29/litellm-cve-2026-42208-sql-injection-exploited-within-36-hours-of-disclosure/

Comments