← Back to feed
2026-04-29 Malicious Tool TLP:CLEAR

LiteLLM CVE-2026-42208: Critical SQL Injection in Proxy Database Enables Unauthorized Credential Access

Date: 2026-04-29
Tags: malicious-tool

Executive Summary

CVE-2026-42208 (CVSS score: 9.3) is an SQL injection vulnerability in LiteLLM that could be exploited to modify the underlying LiteLLM proxy database. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database. The unknown threat actor targeted database tables like "litellm_credentials.credential_values" and "litellm_config" that hold information related to upstream large language model (LLM) provider keys and the proxy runtime environment, demonstrating that the attacker was not only aware of these tables, but also went after those that hold sensitive secrets.

Campaign Summary

FieldDetail
Campaign / MalwareLiteLLM Proxy Database Exploitation
AttributionUnknown Threat Actor (confidence: medium)
TargetOrganizations running LiteLLM proxy infrastructure for LLM routing and credential management
VectorUnauthenticated SQL injection via crafted Authorization header in LLM API routes
Statusactive
First Observed2026-04-26

Detailed Findings

A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter, allowing an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path, enabling them to read data from the proxy's database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages.

LiteLLM is a popular, open-source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub, and the project was the target of a supply chain attack orchestrated by the TeamPCP hacking group in March 2026. CVE-2026-42208 continues the modal pattern for AI-infrastructure advisories: critical, pre-auth, and in software with five-figure star counts that operators trust to centralize cloud-grade credentials.

The 36-hour exploit window is consistent with the broader collapse documented by the Zero Day Clock, and the operator behavior recorded (verbatim Prisma table names, three-table targeting, deliberate column-count enumeration) shows that exploitation no longer waits for a public PoC. The advisory and the open-source schema were ultimately enough.

MITRE ATT&CK Mapping

TechniqueIDContext
SQL InjectionT1190Exploitation of unauthenticated SQL injection via public-facing API endpoint
Credential AccessT1555Extraction of LLM provider API keys and cloud credentials from proxy database
Data from Information RepositoriesT1213Targeted queries against specific credential and configuration tables

IOCs

Domains

_IP address used in second phase of exploitation per Hacker News report. No CVE-specific IOCs published._

Full URL Paths

_IP address used in second phase of exploitation per Hacker News report. No CVE-specific IOCs published._

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

litellm

Detection Recommendations

Monitor LiteLLM proxy logs for: (1) Authorization header parsing errors or SQL-related error responses in API logs; (2) Unusual query patterns against litellm_credentials.credential_values and litellm_config tables; (3) SELECT COUNT(*) queries or column-enumeration patterns from unauthenticated access; (4) Requests from unusual IP ranges probing standard LiteLLM table names. Implement parameterized queries and prepared statements for all database operations. Deploy rate limiting on API authentication paths to limit error-based SQL enumeration attempts.

References