CVE-2026-42208 LiteLLM SQL Injection Actively Exploited: Attackers Target Credential Storage Within 26 Hours of Disclosure
Date: 2026-05-05
Tags: supply-chain
Executive Summary
CVE-2026-42208 (CVSS score: 9.3) is an SQL injection in LiteLLM proxy database during API key verification; the database query mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. While the vulnerability was addressed in version 1.83.7-stable released on April 19, 2026, the first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database. The attacker targeted database tables like 'litellm_credentials.credential_values' and 'litellm_config' that hold information related to upstream large language model provider keys; the attacker was not only aware of these tables, but also went after those that hold sensitive secrets.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LiteLLM Pre-Auth SQL Injection Exploitation |
| Attribution | Unknown threat actor (confidence: low) |
| Target | Organizations running unpatched LiteLLM proxy versions; AI infrastructure operators leveraging LiteLLM for multi-model gateway services |
| Vector | HTTP Authorization header injection; pre-authentication SQL injection via LLM API routes |
| Status | active |
| First Observed | 2026-04-26 |
Detailed Findings
An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path; an attacker could read data from the proxy's database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages. In the second phase of the attack, observed after 20 minutes, the threat actor used a different IP address, this time abusing the access to run a similar probe. LiteLLM is a popular, open-source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub; last month, the project was the target of a supply chain attack orchestrated by the TeamPCP hacking group to steal credentials and secrets from downstream users.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| SQL Injection | T1190 | Attacker injects malicious SQL via Authorization header into LiteLLM proxy database queries to read/modify credential storage |
| Credential Access | T1110 | Exploitation targets litellm_credentials.credential_values table to exfiltrate upstream LLM provider API keys and cloud credentials |
IOCs
Domains
_Vulnerable versions: < 1.83.7-stable; patched in 1.83.7-stable (released 2026-04-19); exploitation IPs observed include 65.111.25.67_
Full URL Paths
_Vulnerable versions: < 1.83.7-stable; patched in 1.83.7-stable (released 2026-04-19); exploitation IPs observed include 65.111.25.67_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
litellmDetection Recommendations
Monitor for unusual Authorization header patterns in LiteLLM proxy access logs; detect SQL syntax characters (single quotes, semicolons, UNION) in Authorization headers; log and alert on database errors returned in proxy error-handling paths; implement WAF rules to block SQL injection patterns in HTTP headers; audit litellm_credentials.credential_values table for unauthorized read/write activity and export events; ensure all LiteLLM deployments are updated to version 1.83.7-stable or later; monitor for credential exfiltration from proxy database to external IPs.
References
- [The Hacker News] LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure (2026-04-29) — https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
- [SecurityWeek] Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure (2026-04-30) — https://www.securityweek.com/fresh-litellm-vulnerability-exploited-shortly-after-disclosure/