LiteLLM SQL injection exploited in wild (CVE-2026-42208) [PoC]
CVE-2026-42208
CVE-2026-42208: LiteLLM 1.81.16-1.83.6 SQL injection lets unauthenticated attackers read/modify database. Update to 1.83.7.
Actively exploited in the wild - CVE-2026-42208 is a critical SQL injection in LiteLLM (AI Gateway) 1.81.16 through 1.83.6 that lets unauthenticated attackers read and modify the proxy’s database. This grants access to the proxy’s managed API credentials. Patched in version 1.83.7 - update immediately.
Overview
CVE-2026-42208 is a SQL injection vulnerability in LiteLLM, a popular open-source AI Gateway that proxies requests to large language model (LLM) APIs. The flaw exists in the database query used during API key validation. Instead of passing the caller-supplied key value as a separate parameter, LiteLLM version 1.81.16 through 1.83.6 concatenated it directly into the query text.
An unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API endpoint (such as POST /chat/completions). The malicious header reaches the vulnerable query through the proxy’s error-handling path, triggering the SQL injection.
Impact
The vulnerability carries a CVSS score of 9.8 (CRITICAL). Successful exploitation allows an unauthenticated attacker to:
- Read arbitrary data from the LiteLLM proxy database
- Modify database contents
- Access and exfiltrate managed API credentials for LLM providers (OpenAI, Anthropic, etc.)
- Potentially pivot to downstream systems using compromised credentials
The CISA Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation. Despite a low EPSS score (0.1% probability in 30 days), the confirmed in-the-wild activity makes immediate patching critical.
Remediation
Upgrade to LiteLLM version 1.83.7 or later. No workarounds are available for this vulnerability.
Detection
Organizations should audit LiteLLM proxy logs for unusual Authorization header patterns, particularly requests that trigger database errors or contain SQL-like syntax. Monitor for unexpected database queries from the proxy service.
Security Insight
This vulnerability highlights a recurring pattern in API gateway infrastructure: authentication bypass via SQL injection in key validation logic. As AI gateways become critical infrastructure for enterprise LLM access, their input sanitization must match the rigor of traditional API gateways. The fact that an error-handling path introduced this exposure suggests LiteLLM’s threat model did not consider unauthenticated paths to its database layer. For ongoing coverage of similar vulnerabilities, see our security news and breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| 0xBlackash/CVE-2026-42208 CVE-2026-40487 | ★ 0 |
| Zeltoc/threat-intel-brief-cve-2026-42208-litellm Threat intelligence brief on CVE-2026-42208, a critical pre-auth SQL injection in BerriAI LiteLLM exploited within 36 hours of disclosure. Covers attack path, detection opportunities, and recommended | ★ 0 |
Showing 2 of 2 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST ...
Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers t...
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directl...
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to ...