Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure

Summary

A critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in the open source LiteLLM AI gateway was exploited shortly after disclosure, allowing unauthenticated attackers to read and modify database contents including API keys and credentials. The flaw occurs during API key verification before authentication is performed, enabling attackers to inject SQL via a crafted Authorization header. Sysdig observed targeted attacks 36 hours after the advisory was indexed, with attackers performing schema enumeration to extract sensitive data from three specific database tables.

Full text

A critical-severity vulnerability in the open source AI gateway LiteLLM was exploited days after public disclosure to access database tables containing sensitive information, Sysdig reports. The security defect is described as an SQL injection during the proxy API key verification process and is identified as CVE-2026-42208, with a CVSS score of 9.3. In an April 20 advisory, LiteLLM’s maintainers explained that a database query used during key verification did not pass the caller-supplied value as a separate parameter, including it in the query instead. This allowed an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route and access the query via the proxy’s error-handling path. “The call happens before authentication (auth) is decided, so the injection is fully pre-auth: any HTTP client that can reach the proxy port is sufficient,” Sysdig notes. By exploiting the issue, the attacker could access the LiteLLM proxy’s database to read and potentially modify data, allowing them to leak credentials stored in the database.Advertisement. Scroll to continue reading. On April 24, the advisory was indexed in the GitHub Advisory database, and the first attacks exploiting the flaw were observed 36 hours later, Sysdig says. The cybersecurity firm observed the attackers specifically targeting three database tables containing sensitive information such as API keys, provider credentials, and the proxy’s environment variable configuration. “The operator already knew LiteLLM’s Prisma-generated PostgreSQL identifier casing and ran a textbook column-count discovery sweep against each target table,” Sysdig explains. Despite the targeted nature of the attacks, no continuation was observed, and the extracted keys and credentials have not been abused. The observed attacks, the cybersecurity firm says, were performed 21 minutes apart, likely through an automated tool that used the same payload but rotated the origin IP addresses. “The novelty of this finding is the speed and precision of the schema-enumeration attempt, not a confirmed compromise,” Sysdig notes. LiteLLM version 1.83.7 resolves the vulnerability by ensuring that the caller-supplied value is always passed as a separate parameter. Users are advised to update to the patched release as soon as possible or to disable error logs to mitigate the exploitation path. Related: 38 Vulnerabilities Found in OpenEMR Medical Software Related: Chrome 147, Firefox 150 Security Updates Rolling Out Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Alleged Chinese State Hacker Extradited to USDozens of Open VSX Extension Clones Linked to GlassWorm MalwareNo Patch for New PhantomRPC Privilege Escalation Technique in WindowsSpectrum Security Emerges From Stealth Mode With $19 MillionIncomplete Windows Patch Opens Door to Zero-Click AttacksOpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsUNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ MalwareEasily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Latest News Hundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical SoftwareChrome 147, Firefox 150 Security Updates Rolling OutCritical GitHub Vulnerability Exposed Millions of RepositoriesCyber Insurance Data Gives CISOs New Ammo for Budget TalksVimeo Confirms User and Customer Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-42208

Entities