← Back to feed
2026-05-12 Supply ChainMalicious Tool TLP:CLEAR

CVE-2026-42208: Critical SQL Injection in LiteLLM AI Gateway Actively Exploited Within 36 Hours—Attackers Target Credential Tables

Date: 2026-05-12
Tags: supply-chain, malicious-tool

Executive Summary

CVE-2026-42208 (CVSS 9.3) is a critical SQL injection vulnerability in LiteLLM versions 1.81.16 through 1.83.6 that allows unauthenticated attackers to modify the underlying proxy database. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed. Attackers specifically targeted database tables like "litellm_credentials.credential_values" and "litellm_config" that hold upstream LLM provider keys, suggesting prior knowledge of the schema and a focus on harvesting sensitive secrets.

Campaign Summary

FieldDetail
Campaign / MalwareLiteLLM CVE-2026-42208 Mass Exploitation
AttributionUnknown threat actor(s) (confidence: medium)
TargetOrganizations running exposed LiteLLM proxy servers; OpenAI, Anthropic, Azure, and other LLM provider credentials managed by affected deployments
VectorSQL Injection via crafted Authorization headers sent to LLM API routes (POST /chat/completions, etc.)
Statusactive
First Observed2026-04-26

Detailed Findings

From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route through the proxy's error-handling path. The 36-hour exploit window demonstrates the broader collapse in response times: operators became aware of the vulnerability through either the GitHub advisory or open-source schema documentation, enabling immediate weaponization without waiting for a public proof-of-concept. On May 8, 2026, CISA added CVE-2026-42208 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply patches by May 11, 2026.

MITRE ATT&CK Mapping

TechniqueIDContext
SQL InjectionT1190Attacker injects malicious SQL into API key validation queries to extract or modify credential database
Credential AccessT1110Exfiltration of LLM provider API keys and upstream cloud credentials stored in compromised database
Data from Information RepositoriesT1213Attackers enumerate and extract data from LiteLLM configuration and credential tables

IOCs

Domains

_Source: Sysdig Threat Research Team telemetry. No malware artifacts observed; SQL injection technique is sufficient for exploitation. IPs associated with exploitation attempts only._

Full URL Paths

_Source: Sysdig Threat Research Team telemetry. No malware artifacts observed; SQL injection technique is sufficient for exploitation. IPs associated with exploitation attempts only._

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

litellm>=1.81.16,<1.83.7

Detection Recommendations

Monitor LiteLLM proxy logs for SQL error messages in authentication flows; inspect Authorization header values for SQL metacharacters (', ", --, ;); alert on failed authentication attempts followed by database error responses; review litellm_credentials and litellm_config table access logs for unauthorized read/write operations; implement WAF rules to block common SQL injection patterns in HTTP headers; enforce rate limiting on /chat/completions and other LLM API endpoints.

References