LiteLLM SQL Injection Exploited 36 Hours After Disclosure—CISA Issues Deadline

A critical SQL injection vulnerability in BerriAI's LiteLLM Python package was exploited in the wild within 36 hours of public disclosure. CVE-2026-42208 carries a CVSS score of 9.3 and affects the popular open-source LLM gateway used as a frontend for OpenAI, Anthropic, and other model providers.

On May 8, 2026, CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply patches by today, May 11.

The Vulnerability

The flaw stems from improper database query construction during proxy API key validation. According to LiteLLM maintainers, a database query used during API key checks "mixed the caller-supplied key value into the query text instead of passing it as a separate parameter."

In affected versions (1.81.16 through 1.83.6), the Bearer value is concatenated directly into a SELECT statement against the LiteLLM_VerificationToken table without parameter binding. This is a textbook SQL injection setup.

An unauthenticated attacker can send a specially crafted Authorization header to any LLM API route (like POST /chat/completions) and reach this query through the proxy's error-handling path.

Exploitation Timeline

Researchers observed the first exploitation attempt on April 26, 2026 at 16:17 UTC—approximately 26 hours after the GitHub Advisory was indexed. The speed here is consistent with the accelerating exploit timelines we've been tracking.

Initial probes came from 65.111.27[.]132, with a second phase from 65.111.25[.]67.

What Attackers Targeted

The threat actor showed precise knowledge of LiteLLM's schema, specifically probing:

• litellm_credentials.credential_values (upstream LLM provider API keys)
• litellm_config (proxy runtime environment)

Tables like litellm_users and litellm_team were notably ignored. The attackers knew exactly what they wanted: the API keys for OpenAI, Anthropic, AWS Bedrock, and other providers stored in the proxy database.

A single compromised litellm_credentials row often holds substantial value: OpenAI organization keys with five-figure monthly spend caps, Anthropic console keys with workspace admin rights, and AWS Bedrock IAM credentials.

Affected Versions and Fix

• Affected: LiteLLM versions 1.81.16 through 1.83.6
• Fixed: Version 1.83.7-stable (released April 19, 2026)

The fix replaces string interpolation with a parameterized query—the standard remedy for SQL injection that should have been in place from the start.

Temporary Mitigation

If immediate patching isn't possible, administrators can set disable_error_logs: true under general_settings to block the vulnerable query path. But this is a stopgap—patching is the only real fix.

Why This Matters

LiteLLM has over 45,000 GitHub stars and serves as critical infrastructure for many AI applications. Organizations using it as a proxy for multiple LLM providers have concentrated their API credentials in a single location—making it a high-value target.

The 36-hour exploitation window demonstrates that vulnerabilities in AI infrastructure get the same fast-follow treatment as traditional software. The recent n8n vulnerability showed similar patterns: critical flaws in automation platforms that handle sensitive credentials.

Any internet-facing LiteLLM instance running affected versions during the exposure window should be treated as compromised. Rotate all upstream provider credentials and audit for unauthorized usage.