Critical LiteLLM SQL Injection Exploited to Target Stored API Keys and Credentials
Attackers began exploiting CVE-2026-42208 in LiteLLM shortly after public disclosure, using a pre-authentication SQL injection flaw in the product’s Authorization: Bearer verification path to query the backend PostgreSQL database without logging in. The vulnerability, also tracked as GHSA-r75f-5x8p-qvmc, affects LiteLLM versions 1.81.16 through 1.83.6 and was fixed in v1.83.7 after the project replaced vulnerable string interpolation with a parameterized query.
Sysdig said the first observed exploitation attempt arrived 36 hours and seven minutes after the advisory was indexed, with activity focused on enumerating high-value tables holding virtual API keys, provider credentials, verification tokens, and environment-based configuration. Researchers described the intrusion attempts as targeted rather than opportunistic, citing knowledge of Prisma-generated PostgreSQL table names and UNION-based column discovery; while no confirmed follow-on abuse was observed, defenders are being urged to patch exposed instances immediately, rotate all stored secrets, and review logs and billing accounts for signs of compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
CISA adds LiteLLM CVE-2026-42208 to KEV catalog
CISA added CVE-2026-42208, the critical pre-auth SQL injection flaw in BerriAI LiteLLM, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The agency directed federal civilian agencies to remediate the issue under Binding Operational Directive 22-01 by 2026-05-11.
Further reporting confirms active exploitation and urges secret rotation
Subsequent reporting highlighted that the vulnerability was being actively exploited in the wild, linked the observed activity to two IP addresses in the same autonomous system, and reiterated guidance to patch, rotate exposed secrets, and review logs and billing accounts. This reinforced the incident as an active credential-theft risk for vulnerable LiteLLM deployments.
First in-the-wild exploitation attempt targets LiteLLM credential tables
Sysdig observed the first exploitation attempt 36 hours and seven minutes after the advisory was indexed, indicating attackers moved quickly to abuse the flaw. The activity focused on enumerating high-value PostgreSQL tables containing virtual API keys, provider credentials, verification tokens, and environment-variable configuration.
LiteLLM releases v1.83.7 to fix SQL injection flaw
LiteLLM fixed CVE-2026-42208 in version 1.83.7 by replacing string interpolation with a parameterized query in the authentication path. The patch addressed exposure of PostgreSQL-stored secrets such as API keys, provider credentials, and configuration data.
GitHub Advisory Database indexes CVE-2026-42208
The critical pre-authentication SQL injection flaw in LiteLLM, tracked as CVE-2026-42208 / GHSA-r75f-5x8p-qvmc, was indexed in the GitHub Advisory Database. The vulnerability affects LiteLLM versions 1.81.16 through 1.83.6 and allows arbitrary SELECT queries via the Authorization Bearer header.
Sysdig publishes research on targeted exploitation of CVE-2026-42208
Sysdig publicly reported that attackers were deliberately exploiting the LiteLLM SQL injection vulnerability and described the observed tradecraft, including UNION-based column discovery and knowledge of Prisma-generated PostgreSQL table names. The company said it had not confirmed follow-on abuse such as authenticated use of stolen keys, but warned exposed internet-facing instances should be treated as potentially compromised.
LiteLLM publishes vendor advisory for CVE-2026-42208
BerriAI published a GitHub security advisory for CVE-2026-42208 affecting LiteLLM versions 1.81.16 through 1.83.6, describing unauthenticated SQL injection via the proxy API key verification path. The advisory credited Tencent YunDing Security Lab, noted the fix in version 1.83.7, and provided a workaround to set `disable_error_logs: true` for users unable to upgrade immediately.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCVE-2026-42208 - LiteLLM: SQL injection in Proxy API key verification
cvefeed.io
Open sourceCVE-2026-42208: Pre-Authentication SQL Injection in… | Bishop Fox
bishopfox.com
Open sourceCVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure
securityaffairs.com
Open sourceCritical SQL Injection Vulnerability in LiteLLM Exploited in-the-Wild
threats.wiz.io
Open sourceSQL injection in Proxy API key verification · Advisory · BerriAI/litellm · GitHub
github.com
Open sourceCVE-2026-42208: Targeted SQL injection against LiteLLM's authentication path discovered 36 hours following vulnerability disclosure | Sysdig
sysdig.com
Open sourceCVE-2026-42208: Targeted SQL injection against LiteLLM's authentication path discovered 36 hours following vulnerability disclosure | Sysdig
webflow.sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LMDeploy SSRF Was Exploited Within Hours as LiteLLM Proxy Disclosed RCE Chain
Attackers began exploiting **CVE-2026-33626** in LMDeploy less than 13 hours after public disclosure, using a server-side request forgery flaw in vision-language request handling to make inference servers fetch attacker-controlled and internal URLs. Sysdig said the bug affects LMDeploy `0.12.0` and earlier with vision-language support, where `image_url` input is not properly restricted, and observed an eight-minute attack against its honeypot that probed AWS instance metadata, localhost services, an unauthenticated administrative endpoint, and an out-of-band callback domain. The activity included scans of loopback ports associated with **Redis**, **MySQL**, and HTTP services, underscoring the risk of exposing AI inference infrastructure to internal network discovery and cloud credential theft. The disclosures also highlighted broader weaknesses in LLM-serving platforms. LiteLLM published three advisories for LiteLLM Proxy that researchers said can be chained to achieve **remote code execution**, including an unauthenticated SQL injection (`GHSA-r75f-5x8p-qvmc`), a server-side template injection flaw, and an authenticated command-execution issue in MCP stdio test endpoints. The affected LiteLLM range is `1.81.16` through `1.83.6`, with fixes available in `1.83.7-stable` and later, while LMDeploy users were urged to upgrade to `v0.12.3+`, enforce **IMDSv2**, restrict egress, rotate IAM credentials, and monitor inference hosts for requests to metadata, loopback, and private-network addresses.
Apr 24, 2026
Active Exploitation of LiteLLM Flaw Enables Unauthenticated RCE via Starlette Chain
CISA added **CVE-2026-42271** to its Known Exploited Vulnerabilities catalog after evidence emerged that attackers are exploiting a command injection flaw in BerriAI **LiteLLM**. The bug affects MCP server test endpoints in self-hosted LiteLLM deployments, where crafted `stdio` parameters can trigger arbitrary command execution on the proxy host. On its own, the flaw requires a valid proxy API key, but researchers reported it is being chained with **CVE-2026-48710** in **Starlette**—a Host header validation bypass known as **BadHost**—to bypass authentication and achieve unauthenticated remote code execution. The exposed attack path affects LiteLLM versions **1.74.2 through 1.83.6** when deployed with **Starlette 1.0.0 or earlier**, and researchers rated the combined chain as effectively **critical** with a CVSS score of **10.0**. Successful compromise can let attackers run OS commands, steal model provider credentials, API keys, secrets, and environment variables, and pivot into connected AI infrastructure. BerriAI patched the issue in **LiteLLM 1.83.7** by restricting the vulnerable test endpoints to the `PROXY_ADMIN` role, while defenders are being urged to upgrade LiteLLM and Starlette, limit network access to the affected endpoints, rotate stored credentials, and review logs for suspicious Host header and subprocess activity.
Jun 11, 2026
LiteLLM Flaws Enable Privilege Escalation and OIDC Authentication Bypass
LiteLLM fixed two high-severity vulnerabilities in version `1.83.0` that could allow attackers to gain elevated access in AI gateway deployments. **CVE-2026-35029** stems from missing admin authorization on the `/config/update` endpoint, allowing an authenticated low-privilege user to change proxy settings and environment variables. The flaw could be abused to register attacker-controlled Python handlers for remote code execution, read arbitrary server files, and overwrite UI credentials to seize privileged accounts, creating broad confidentiality, integrity, and availability risk. The same release also addressed **CVE-2026-35030**, an authentication bypass affecting LiteLLM deployments that enabled JWT-based authentication. In vulnerable versions, the platform used the first 20 characters of a token as the OIDC userinfo cache key, allowing a crafted token with a matching prefix to collide with a legitimate cached session and inherit that user’s identity and permissions. The issue is not enabled by default, limiting exposure to specific configurations, but together the flaws highlight significant access-control weaknesses in LiteLLM versions prior to `1.83.0`.
Apr 29, 2026