CVE-2026-42208: Critical SQL Injection in LiteLLM AI Gateway Under Active Exploitation
Date: 2026-05-19
Tags: malicious-tool
Executive Summary
LiteLLM, a popular open-source 'AI Gateway' making it easier to run OpenAI-style LLM queries across models and providers, has a serious vulnerability identified as CVE-2026-42208 affecting versions 1.81.16 up to just before 1.83.7. From version 1.81.16 to before 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter, allowing an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route and read or modify data in the proxy's database, leading to unauthorized access to the proxy and the credentials it manages.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-42208 LiteLLM SQL Injection Exploitation |
| Attribution | Unknown; active exploitation reported (confidence: low) |
| Target | LiteLLM proxy deployments (versions 1.81.16-1.83.6) |
| Vector | Unauthenticated SQL injection via malformed Authorization header |
| Status | active |
| First Observed | 2026-05-08 |
Detailed Findings
This design error opens the door not only to reading arbitrary data from the LiteLLM database but also to potential modification of records, leading in practice to full compromise of the LiteLLM proxy instance and the secrets it manages on behalf of downstream applications. These events reinforce a broader trend: AI infrastructure and LLM gateways are becoming high-priority targets for financially motivated and state-aligned threat actors. The case illustrates a new reality: a critical pre-authentication vulnerability in a widely trusted project can move from disclosure to exploitation in a matter of hours, not weeks, and organizations relying on LLMs and AI gateways should assume any publicly announced flaw will be actively targeted almost immediately.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| SQL Injection | T1190 | Unauthenticated SQL injection through Authorization header parameter |
| Credential Theft | T1555 | Stolen LLM API credentials and cloud secrets from compromised proxy database |
| Lateral Movement | T1570 | Potential access to downstream LLM services and cloud environments |
IOCs
Domains
_Patch available: LiteLLM 1.83.7-stable or later_
Full URL Paths
_Patch available: LiteLLM 1.83.7-stable or later_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
litellm (versions 1.81.16 to 1.83.6)Detection Recommendations
Immediately upgrade LiteLLM to version 1.83.7-stable or later; if immediate upgrade not feasible, apply temporary workaround by setting disable_error_logs: true in configuration; review LiteLLM logs for anomalous access patterns and SQL injection indicators in Authorization headers; monitor for unusual database queries; track access to LLM endpoints and credentials; implement network segmentation isolating LiteLLM proxy; audit all API keys managed by affected proxy instances and rotate.
References
- [CVE.news] CVE-2026-42208 - Critical LiteLLM SQL Injection Risk Exposes Secrets and Access (2026-05-08) — https://www.cve.news/cve-2026-42208
- [CyberSecure Fox] Critical LiteLLM Vulnerability CVE-2026-42208: SQL Injection In AI Gateway Under Active Exploitation (2026-05-12) — https://cybersecurefox.com/en/litellm-cve-2026-42208-sql-injection-ai-gateway