Critical LiteLLM SQL Injection CVE-2026-42208 Exploited Within 36 Hours of Disclosure
A critical SQL injection vulnerability in BerriAI's LiteLLM Python package, CVE-2026-42208, is being actively exploited in the wild just 36 hours after disclosure, with attackers targeting database tables holding LLM provider keys and proxy credentials.
A critical SQL injection vulnerability in BerriAI's LiteLLM Python package, tracked as CVE-2026-42208 (CVSS 9.3), has come under active exploitation within 36 hours of public disclosure. The flaw, which affects LiteLLM versions >=1.81.16 and <1.83.7, allows an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route (e.g., POST /chat/completions) and reach the proxy database through the error-handling path. This enables reading and potentially modifying sensitive data stored in the proxy database.
The vulnerability stems from a database query used during proxy API key checks that mixed the caller-supplied key value directly into the query text instead of passing it as a separate parameter. According to Sysdig, the first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours after the GitHub advisory was indexed in the global GitHub Advisory Database. The SQL injection activity originated from IP address 65.111.27[.]132.
Security researcher Michael Clark noted that malicious activity fell into two phases driven by the same operator across two adjacent egress IPs, followed by a brief unauthenticated probe of key-management endpoints. The unknown threat actor specifically targeted database tables like "litellm_credentials.credential_values" and "litellm_config," which hold information related to upstream LLM provider keys and the proxy runtime environment. No probes were observed against tables like "litellm_users" or "litellm_team," indicating the attacker was aware of the database schema and focused on high-value secrets.
In the second phase of the attack, observed after 20 minutes, the threat actor used a different IP address (65.111.25[.]67) to abuse the access and run a similar probe. Sysdig warned that a single litellm_credentials row often holds an OpenAI organization key with five-figure monthly spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential. The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection.
LiteLLM is a popular open-source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub. Last month, the project was the target of a supply chain attack orchestrated by the TeamPCP hacking group to steal credentials and secrets from downstream users. The rapid exploitation of CVE-2026-42208 continues the modal pattern for AI-infrastructure advisories: critical, pre-auth, and in software with five-figure star counts that operators trust to centralize cloud-grade credentials.
The vulnerability was addressed in version 1.83.7-stable released on April 19, 2026. Users are advised to patch their instances to the latest version immediately. If patching is not an immediate option, the maintainers recommend setting "disable_error_logs: true" under "general_settings" to remove the path through which untrusted input reaches the vulnerable query. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42208 to its Known Exploited Vulnerabilities (KEV) catalog on May 8, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to apply patches by May 11, 2026.
The 36-hour exploit window is consistent with the broader collapse documented by the Zero Day Clock, and the operator behavior recorded (verbatim Prisma table names, three-table targeting, deliberate column-count enumeration) shows that exploitation no longer waits for a public PoC. The advisory and the open-source schema were ultimately enough for attackers to weaponize the flaw. This incident underscores the urgent need for organizations to prioritize patching of AI infrastructure components that centralize sensitive credentials.