Critical LiteLLM SQL Injection Flaw Exploited in the Wild
Key Takeaways A critical pre-authentication SQL injection vulnerability in LiteLLM, an open-source AI gateway (CVE-2026-42208), is being actively exploited. The flaw allows unauthorized attackers to...
Key Takeaways
- A critical pre-authentication SQL injection vulnerability in LiteLLM, an open-source AI gateway (CVE-2026-42208), is being actively exploited.
- The flaw allows unauthorized attackers to extract sensitive cloud and AI provider credentials from the platform’s PostgreSQL database.
- Exploitation was detected just over 36 hours after public disclosure, targeting specific tables containing high-value secrets.
- LiteLLM version 1.83.7 resolves the vulnerability; immediate patching and comprehensive credential rotation are urgently recommended for affected versions (1.81.16 through 1.83.6).
A severe pre-authentication SQL injection vulnerability impacting LiteLLM, a widely adopted open-source AI gateway with over 22,000 GitHub stars, is now under active exploitation in the wild. This critical flaw, identified as CVE-2026-42208, enables unauthorized attackers to directly exfiltrate highly sensitive cloud and AI provider credentials from the platform’s PostgreSQL database.
Table Of Content
LiteLLM functions as a central proxy, facilitating interactions with major language models such as OpenAI, Anthropic, and AWS Bedrock. Given its role in managing AI routing and billing, the application is a repository for high-value secrets, including master API keys and enterprise cloud credentials.
Rapid Exploitation and Targeted Data Theft
The potential impact of a successful breach through this vulnerability is akin to a major cloud account compromise, far exceeding that of a typical web application attack. The vulnerability resides within the proxy’s verification process, specifically due to LiteLLM’s failure to adequately secure the Authorization Bearer header.
Attackers can inject a single quote into a crafted, fake token, such as sk-litellm'. This malicious input allows them to escape the intended query structure and execute arbitrary database commands even before authentication takes place. Any HTTP client capable of reaching the proxy port can initiate this exploit.
The Sysdig Threat Research Team reported detecting the first exploitation attempt a mere 36 hours and seven minutes after the vulnerability was indexed in the global GitHub Advisory Database on April 24, 2026. This rapid response, coupled with the absence of typical automated scanning, suggests the attackers possessed advanced knowledge of LiteLLM’s internal architecture.
The threat actors launched highly targeted attacks against three specific tables: LiteLLM_VerificationToken, litellm_credentials, and litellm_config. These tables house the system’s most vital data, including virtual API keys, stored provider credentials, and environment configurations. The operators even tailored their payloads to precisely match the database schema’s case. This coordinated and deliberate data-extraction effort originated from two IP addresses (65.111.27.132 and 65.111.25.67) within the same autonomous system.
Immediate Patching and Credential Rotation
LiteLLM maintainers have released version 1.83.7, which addresses the vulnerability by implementing proper security measures for database queries. Organizations utilizing any affected version, ranging from 1.81.16 through 1.83.6, must apply this critical update without delay.
Given that this attack bypasses authentication and can be executed against any exposed instance, administrators should operate under the assumption that vulnerable, internet-facing servers have already been compromised. Security teams are strongly advised to immediately rotate all virtual API keys, master keys, and stored provider credentials.
Furthermore, companies should proactively monitor their upstream cloud billing accounts for any unusual API calls or unauthorized consumption of AI tokens. Defenders should also audit web server logs for suspicious requests containing SQL keywords or the specific sk-litellm' payload. As AI gateways increasingly become central repositories for valuable cloud credentials, they must be treated as paramount security targets. Implementing strong network segmentation, such as securing these proxy environments behind internal networks, and maintaining rigorous patch management are crucial steps to prevent devastating corporate credential theft.
What You Should Do
- Immediately update all LiteLLM instances to version 1.83.7 or later to patch the CVE-2026-42208 vulnerability.
- Assume compromise for any vulnerable, internet-facing LiteLLM instances and proceed with full incident response protocols.
- Rotate all virtual API keys, master keys, and stored cloud/AI provider credentials associated with LiteLLM.
- Monitor upstream cloud billing accounts for any unexpected API calls or unusual AI token consumption.
- Audit web server logs for suspicious requests containing SQL keywords or the specific payload
sk-litellm'. - Ensure LiteLLM instances are not directly exposed to the internet unless absolutely necessary, and ideally, secure them behind internal networks or robust access controls.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.