CVE-2026-42208: LiteLLM SQL injection exposes LLM

CISO Take

LiteLLM, a widely deployed AI gateway used to proxy and route requests to OpenAI, Anthropic, Cohere, and other LLM providers, contains a critical SQL injection flaw in its API key validation path — an unauthenticated attacker can exfiltrate or modify the entire proxy database by sending a crafted Authorization header to any LLM endpoint such as POST /chat/completions. The blast radius is severe: LiteLLM acts as a centralized credential vault for all downstream LLM API keys, meaning a single exploit can yield credentials to every AI provider the organization uses, enabling unlimited model access and cost fraud at the victim's expense. CVSS 9.8 with zero privileges required and no user interaction needed, and while EPSS is 0.00084, the package sits in the top 76th percentile for exploitation likelihood and carries a history of 18 prior CVEs suggesting systemic security debt. Patch immediately to version 1.83.7, rotate all LLM API keys managed by the proxy, and audit Authorization header logs for SQL metacharacters in the error-handling path.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N represents worst-case exploitability: network-accessible, trivial complexity, no authentication or user interaction required. The vulnerability is triggered through the proxy's error-handling path, meaning it is reachable on every LLM route the proxy exposes. LiteLLM's role as a centralized AI gateway dramatically amplifies impact — compromising it yields credentials to every LLM provider in the configuration. An OpenSSF Scorecard of 6.2/10 and 18 prior CVEs in the same package indicate ongoing security quality issues. Not yet in CISA KEV, but the unauthenticated network vector and straightforward SQL injection technique make opportunistic exploitation realistic in the near term.

How does the attack unfold?

Reconnaissance

Attacker identifies internet-exposed LiteLLM proxy instances via Shodan, Censys, or active scanning for /chat/completions and /health endpoints.

AML.T0006

Initial Access

Attacker sends a POST request to any LLM proxy route with a SQL-injected Authorization header value, reaching the vulnerable key-validation error-handling code path.

AML.T0049

Credential Access

Injected SQL executes against the proxy database via the error path, enabling UNION-based extraction of all stored LLM API keys and user account credentials.

AML.T0106

Impact

Attacker uses stolen LLM API credentials for unauthorized inference access, cost fraud, prompt history exfiltration, or writes a backdoor API key for persistent proxy access.

AML.T0040

Reconnaissance

Attacker identifies internet-exposed LiteLLM proxy instances via Shodan, Censys, or active scanning for /chat/completions and /health endpoints.

AML.T0006

Initial Access

Attacker sends a POST request to any LLM proxy route with a SQL-injected Authorization header value, reaching the vulnerable key-validation error-handling code path.

AML.T0049

Credential Access

Injected SQL executes against the proxy database via the error path, enabling UNION-based extraction of all stored LLM API keys and user account credentials.

AML.T0106

Impact

Attacker uses stolen LLM API credentials for unauthorized inference access, cost fraud, prompt history exfiltration, or writes a backdoor API key for persistent proxy access.

AML.T0040

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 38% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

93.1%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

CISA KEV

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed) — May 2026

✓ CISA SSVC: Active exploitation

○ Nuclei detection template available

○ EPSS exploit prediction: 93%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch immediately to LiteLLM 1.83.7 or later — the fix parameterizes the database query to prevent injection.
If patching is blocked, restrict network access to all LiteLLM proxy endpoints to trusted internal networks; do not expose the proxy directly to the internet.
After patching, rotate all LLM API keys managed by the proxy (OpenAI, Anthropic, Cohere, etc.) as a precaution — assume keys may have been exfiltrated if the proxy was internet-accessible.
Review Authorization header logs on LiteLLM endpoints for anomalous values containing SQL metacharacters (single quotes, --, UNION, SELECT, OR).
Enable PostgreSQL query logging temporarily to detect unusual queries in the key-check code path and identify potential prior exploitation.
Audit all database user accounts for unauthorized modifications.
If using LiteLLM Cloud or a managed deployment, contact the vendor to confirm patching status and request access logs.

What does CISA's SSVC say?

Decision Act

Exploitation active

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Supply Chain API Inference AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk assessment A.8.3 - Information security in AI system development

NIST AI RMF

GOVERN 1.2 - Policies, processes and practices for AI risk management MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

How many AI incidents are linked? (2)

LiteLLM SQL Injection CVE-2026-42208 Actively Exploited in the Wild

Apr 2026 BerriAI code execution high confidence

A critical SQL injection vulnerability in BerriAI's LiteLLM Python package was actively exploited in the wild within 36 hours of public disclosure, with a CVSS score of 9.3.

The Hacker News

Active exploitation of LiteLLM pre-auth SQL injection flaw

Apr 2026 BerriAI data extraction high confidence

Threat actors are actively exploiting a critical pre-authentication SQL injection vulnerability (CVE-2026-42208) in the LiteLLM open-source LLM gateway to steal sensitive data.

BleepingComputer

AI Threat Alert incident classification, derived from public security reporting. Each item links to its original source.

Frequently Asked Questions

What is CVE-2026-42208?

LiteLLM, a widely deployed AI gateway used to proxy and route requests to OpenAI, Anthropic, Cohere, and other LLM providers, contains a critical SQL injection flaw in its API key validation path — an unauthenticated attacker can exfiltrate or modify the entire proxy database by sending a crafted Authorization header to any LLM endpoint such as POST /chat/completions. The blast radius is severe: LiteLLM acts as a centralized credential vault for all downstream LLM API keys, meaning a single exploit can yield credentials to every AI provider the organization uses, enabling unlimited model access and cost fraud at the victim's expense. CVSS 9.8 with zero privileges required and no user interaction needed, and while EPSS is 0.00084, the package sits in the top 76th percentile for exploitation likelihood and carries a history of 18 prior CVEs suggesting systemic security debt. Patch immediately to version 1.83.7, rotate all LLM API keys managed by the proxy, and audit Authorization header logs for SQL metacharacters in the error-handling path.

Is CVE-2026-42208 actively exploited?

Yes, CVE-2026-42208 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Fri May 08 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2026-42208?

1. Patch immediately to LiteLLM 1.83.7 or later — the fix parameterizes the database query to prevent injection. 2. If patching is blocked, restrict network access to all LiteLLM proxy endpoints to trusted internal networks; do not expose the proxy directly to the internet. 3. After patching, rotate all LLM API keys managed by the proxy (OpenAI, Anthropic, Cohere, etc.) as a precaution — assume keys may have been exfiltrated if the proxy was internet-accessible. 4. Review Authorization header logs on LiteLLM endpoints for anomalous values containing SQL metacharacters (single quotes, --, UNION, SELECT, OR). 5. Enable PostgreSQL query logging temporarily to detect unusual queries in the key-check code path and identify potential prior exploitation. 6. Audit all database user accounts for unauthorized modifications. 7. If using LiteLLM Cloud or a managed deployment, contact the vendor to confirm patching status and request access logs.

What systems are affected by CVE-2026-42208?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, AI proxy and routing layers, Multi-tenant LLM serving infrastructure, Enterprise AI platforms with centralized LLM access, Agent frameworks using LiteLLM for model routing.

What is the CVSS score for CVE-2026-42208?

CVE-2026-42208 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 93.11%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysAI proxy and routing layersMulti-tenant LLM serving infrastructureEnterprise AI platforms with centralized LLM accessAgent frameworks using LiteLLM for model routing

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2, A.8.3

NIST AI RMF: GOVERN 1.2, MANAGE 2.2

OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Exploitation Scenario

An adversary scans Shodan or Censys for internet-exposed LiteLLM proxy instances, trivially fingerprinted by response headers or the /health endpoint. They send a POST request to /chat/completions with a crafted Authorization header — for example, Bearer x' OR '1'='1' -- — which breaks the SQL query context inside the proxy's key-validation error-handling path. The database executes the injected query, and using UNION-based injection across a handful of HTTP requests, the attacker enumerates tables and extracts all stored API credentials. Within minutes they have live OpenAI, Anthropic, and Cohere API keys. They configure their own LLM client with the stolen keys, gaining unlimited model access billed to the victim. If the database user has write privileges, they may also insert a backdoor API key into the proxy for persistent, stealthy access that survives a key rotation of the legitimate provider keys.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.