LiteLLM SQL injection exploited in wild (CVE-2026-42208)
CVE-2026-42208
CVE-2026-42208: LiteLLM 1.81.16-1.83.6 SQL injection lets unauthenticated attackers read/modify database. Update to 1.83.7.
Actively exploited in the wild - CVE-2026-42208 is a critical SQL injection in LiteLLM (AI Gateway) 1.81.16 through 1.83.6 that lets unauthenticated attackers read and modify the proxy’s database. This grants access to the proxy’s managed API credentials. Patched in version 1.83.7 - update immediately.
Overview
CVE-2026-42208 is a SQL injection vulnerability in LiteLLM, a popular open-source AI Gateway that proxies requests to large language model (LLM) APIs. The flaw exists in the database query used during API key validation. Instead of passing the caller-supplied key value as a separate parameter, LiteLLM version 1.81.16 through 1.83.6 concatenated it directly into the query text.
An unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API endpoint (such as POST /chat/completions). The malicious header reaches the vulnerable query through the proxy’s error-handling path, triggering the SQL injection.
Impact
The vulnerability carries a CVSS score of 9.8 (CRITICAL). Successful exploitation allows an unauthenticated attacker to:
- Read arbitrary data from the LiteLLM proxy database
- Modify database contents
- Access and exfiltrate managed API credentials for LLM providers (OpenAI, Anthropic, etc.)
- Potentially pivot to downstream systems using compromised credentials
The CISA Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation. Despite a low EPSS score (0.1% probability in 30 days), the confirmed in-the-wild activity makes immediate patching critical.
Remediation
Upgrade to LiteLLM version 1.83.7 or later. No workarounds are available for this vulnerability.
Detection
Organizations should audit LiteLLM proxy logs for unusual Authorization header patterns, particularly requests that trigger database errors or contain SQL-like syntax. Monitor for unexpected database queries from the proxy service.
Security Insight
This vulnerability highlights a recurring pattern in API gateway infrastructure: authentication bypass via SQL injection in key validation logic. As AI gateways become critical infrastructure for enterprise LLM access, their input sanitization must match the rigor of traditional API gateways. The fact that an error-handling path introduced this exposure suggests LiteLLM’s threat model did not consider unauthenticated paths to its database layer. For ongoing coverage of similar vulnerabilities, see our security news and breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers t...
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directl...
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to ...
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticate...