CVE-2026-42208: LiteLLM Pre-Auth SQL Injection Actively Exploited Within 26 Hours of Disclosure; Attackers Target Credential Storage
Date: 2026-05-02
Tags: supply-chain
Executive Summary
CVE-2026-42208 (CVSS 9.3) is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database. An unknown threat actor targeted database tables holding upstream LLM provider keys and proxy runtime environment secrets, suggesting the attacker was aware of and went after sensitive credential stores.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-42208 Post-Disclosure Exploitation |
| Attribution | Unknown threat actor (confidence: low) |
| Target | Organizations running externally exposed LiteLLM proxy instances with stored LLM API credentials |
| Vector | Unauthenticated SQL injection via specially crafted Authorization header to any LLM API route, allowing attackers to read data from the proxy's database and potentially modify it, leading to unauthorized access to credentials. |
| Status | active |
| First Observed | 2026-04-26 |
Detailed Findings
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. A fix was delivered in LiteLLM version 1.83.7 to replace string concatenation with parameterized queries. CVE-2026-42208 was exploited within 36 hours of disclosure, exposing LiteLLM credentials and risking cloud account compromise. In the second phase of the attack, the threat actor used a different IP address, this time abusing the access to run a similar probe. LiteLLM stores API keys, virtual and master keys, and environment/config secrets, so accessing its database allows hackers to read sensitive data they may then use to launch additional attacks.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | CVE-2026-42208 SQL injection exploited against externally accessible LiteLLM proxy endpoints |
| Credential Access via Exposed Cloud Credentials | T1526 | Attackers extract stored LLM API keys and cloud provider credentials from compromised proxy database |
IOCs
Domains
_One attacker IP identified: 65.111.25.67; multiple probes observed with different IP addresses suggesting multi-stage reconnaissance._
Full URL Paths
_One attacker IP identified: 65.111.25.67; multiple probes observed with different IP addresses suggesting multi-stage reconnaissance._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
LiteLLM <1.83.7Detection Recommendations
Monitor for SQL injection patterns in Authorization header payloads sent to LiteLLM API endpoints. Detection should focus on any LLM API routes receiving specially crafted Authorization headers with SQL syntax. Implement strict input validation on all API key verification paths. Monitor database access patterns for unusual queries targeting credential storage tables. Enable comprehensive logging of all database operations on LiteLLM proxy instances. Implement IP reputation blocking for scanning infrastructure.
References
- [The Hacker News] LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure (2026-04-30) — https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
- [BleepingComputer] Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw (2026-04-29) — https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/
- [LiteLLM GitHub Advisory] CVE-2026-42208 Security Advisory (2026-04-19) — https://github.com/BerriAI/litellm/security/advisories