CVE-2026-42208: Critical SQL Injection in LiteLLM AI Gateway Exploited Within 36 Hours—Attackers Harvest LLM Credentials and Configuration
Date: 2026-05-13
Tags: supply-chain, malicious-tool
Executive Summary
CVE-2026-42208 (CVSS score: 9.3) is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database. While the vulnerability was addressed in version 1.83.7-stable released on April 19, 2026, the first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database. Attackers actively targeted credential tables, confirming the shift of AI infrastructure into the active exploitation window.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LiteLLM CVE-2026-42208 Active Exploitation Campaign |
| Attribution | Unknown, likely organized crime or state-linked (confidence: low) |
| Target | Organizations running LiteLLM proxy in production, particularly in financial services and healthcare |
| Vector | SQL injection via Authorization header |
| Status | active |
| First Observed | 2026-04-26 |
Detailed Findings
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages. The unknown threat actor is said to have targeted database tables like "litellm_credentials.credential_values" and "litellm_config" that hold information related to upstream large language model (LLM) provider keys and the proxy runtime environment. No probes were observed against tables like "litellm_users" or "litellm_team." This suggests that the attacker was not only aware of these schema, but also went after those that hold sensitive secrets. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on May 8, 2026, added CVE-2026-42208 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by May 11, 2026.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| SQL Injection | T1190 | Exploitation of unparameterized SQL queries in API key validation |
| Credential Access | T1555 | Extraction of LLM provider API keys from compromised database |
IOCs
Domains
_IP source attribution from Sysdig telemetry. CVE-2026-42208 CVSS 9.3, patched in 1.83.7_
Full URL Paths
_IP source attribution from Sysdig telemetry. CVE-2026-42208 CVSS 9.3, patched in 1.83.7_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
litellm versions 1.81.16 to 1.83.6 (vulnerable)Detection Recommendations
Immediate: (1) Upgrade all LiteLLM instances to version 1.83.7 or later; (2) Review access logs for any Authorization headers containing SQL syntax (semicolons, quotes, UNION keywords) between April 19-26; (3) Rotate all upstream LLM provider API keys; (4) Audit CloudTrail / database logs for unauthorized SELECT/UPDATE on litellm_credentials and litellm_config tables. Ongoing: Implement WAF rules blocking SQL payloads in Authorization headers; segment LiteLLM instances behind authenticated reverse proxies; enable real-time query monitoring on database connections from LiteLLM processes.
References
- [The Hacker News] LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure (2026-04-26) — https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
- [Sysdig] CVE-2026-42208: Critical SQL Injection in LiteLLM AI Gateway Actively Exploited Within 36 Hours (2026-04-26) — https://www.sysdig.com/blog/litellm-sql-injection-cve-2026-42208/
- [CISA] CVE-2026-42208 Added to Known Exploited Vulnerabilities Catalog (2026-05-08) — https://www.cisa.gov/