{"id":747,"date":"2026-04-29T06:30:59","date_gmt":"2026-04-29T06:30:59","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=747"},"modified":"2026-04-29T06:30:59","modified_gmt":"2026-04-29T06:30:59","slug":"litellm-cve-2026-42208-sql-injection-exploited-within-36-hours-of-disclosure","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=747","title":{"rendered":"LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 29, 2026<\/span><\/span>Vulnerability \/ Cloud Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI’s LiteLLM<\/a> Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge.<\/p>\n

The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database.<\/p>\n

\u00abA database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter,\u00bb LiteLLM maintainers said<\/a> in an alert last week.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abAn unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example, POST \/chat\/completions) and reach this query through the proxy’s error-handling path. An attacker could read data from the proxy’s database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages.\u00bb<\/p>\n

The shortcoming affects the following versions –<\/p>\n

<\/p>\n

While the vulnerability was addressed in version 1.83.7-stable<\/a> released on April 19, 2026, the first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database. The SQL injection activity, per Sysdig, originated from the IP address 65.111.27[.]132.<\/p>\n

\u00abMalicious activity fell into two phases driven by the same operator across two adjacent egress IPs, followed by a brief unauthenticated probe of the key-management endpoints,\u00bb security researcher Michael Clark said<\/a>.<\/p>\n

Specifically, the unknown threat actor is said to have targeted database tables like \u00ablitellm_credentials.credential_values\u00bb and \u00ablitellm_config\u00bb that hold information related to upstream large language model (LLM) provider keys and the proxy runtime environment. No probes were observed against tables like \u00ablitellm_users\u00bb or \u00ablitellm_team.\u00bb<\/p>\n

This suggests that the attacker was not only aware of these tables, but also went after those that hold sensitive secrets. In the second phase of the attack, observed after 20 minutes, the threat actor used a different IP address (\u00ab65.111.25[.]67\u00bb), this time abusing the access to run a similar probe.<\/p>\n

LiteLLM is a popular, open-source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub. Last month, the project was the target of a supply chain attack orchestrated by the TeamPCP hacking group to steal credentials and secrets from downstream users.<\/p>\n

\u00abA single litellm_credentials row often holds an OpenAI organization key with five-figure monthly spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential,\u00bb Sysdig said. \u00abThe blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Users are advised to patch their instances to the latest version. If this is not an immediate option, the maintainers recommend setting \u00abdisable_error_logs: true\u00bb under \u00abgeneral_settings\u00bb to remove the path through which untrusted input reaches the vulnerable query.<\/p>\n

\u00abThe LiteLLM vulnerability (GHSA-r75f-5x8p-qvmc) continues the modal pattern for AI-infrastructure advisories: critical, pre-auth, and in software with five-figure star counts that operators trust to centralize cloud-grade credentials,\u00bb Sysdig added.<\/p>\n

\u00abThe 36-hour exploit window is consistent with the broader collapse documented by the Zero Day Clock, and the operator behavior we recorded (verbatim Prisma table names, three-table targeting, deliberate column-count enumeration) shows that exploitation no longer waits for a public PoC. The advisory and the open-source schema were ultimately enough.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 29, 2026Vulnerability \/ Cloud Security In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI’s LiteLLM Python…<\/p>\n","protected":false},"author":1,"featured_media":748,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1463,799,128,582,525,866,562],"class_list":["post-747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-cve202642208","tag-disclosure","tag-exploited","tag-hours","tag-injection","tag-litellm","tag-sql"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=747"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/747\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/748"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}