CVE-2026-42208
published 2026-05-08CVE-2026-42208: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-11
Exploited in the wild
EPSS
84.52%
99.7th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| berriai | litellm | — | — |
| lightspeed-core | lightspeed-stack-rhel9 | — | — |
| litellm | litellm | >= 1.81.16 < 1.83.7 | 1.83.7 |
| litellm | litellm | >= 1.81.16 < 1.83.7 | 1.83.7 |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SQL injection attempts via crafted Authorization: Bearer headers on any LLM API route, particularly POST /chat/completions, targeting LiteLLM proxy versions >=1.81.16 and <1.83.7. ↗
- →Alert on database queries targeting the tables 'litellm_credentials.credential_values' and 'litellm_config', which hold upstream LLM provider keys and proxy runtime environment data — these were the specific tables targeted by the observed threat actor. ↗
- →Detect attacker pivot behavior: a switch to a second source IP after an initial reconnaissance phase, reusing the same SQL injection payloads with more precise table/column targeting — indicative of a two-phase exploitation pattern observed in the wild. ↗
- →The exploitation path runs through the proxy's error-handling code. Enabling 'disable_error_logs: true' under 'general_settings' blocks the path through which untrusted input reaches the vulnerable query — absence of this setting on internet-exposed instances is a risk indicator. ↗
- →Check Point IPS signature 'LiteLLM SQL Injection (CVE-2026-42208)' is available for network-level detection of exploitation attempts. ↗
- →The vulnerability is on the CISA KEV list (CVSS 9.3, pre-auth). Treat any internet-exposed LiteLLM instance running versions >=1.81.16 and <1.83.7 as potentially compromised; rotate all virtual API keys, master keys, and provider credentials stored in the proxy. ↗
- ·The vulnerability is exploitable only through the proxy's error-handling path. Setting 'disable_error_logs: true' under 'general_settings' is a documented workaround that removes the vulnerable code path when immediate patching to v1.83.7 is not possible. ↗
- ·The root cause is string concatenation of caller-supplied key values into SQL query text rather than parameterized queries. The fix in v1.83.7 replaces string concatenation with parameterized queries. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
cisa9.3CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
ghsa·2026-06-26·CVSS 9.8
CVE-2026-42208 [CRITICAL] CWE-506 semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
## Impact
semantic-router versions 0.1.8 through 0.1.14 declare `litellm>=1.61.3` with no upper bound. During the window in which `litellm==1.82.8` was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.
The malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes on Python interpreter startup — no import required. It collects and exfiltrates:
- Process environment variables
- AWS / GCP / Azure credentials
- SSH keys, Kubernetes configs, shell history
- Database credentials and CI/CD secrets
- Cryptocurrency wallets
Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) an
VulDB
BerriAI LiteLLM up to 1.83.6 /chat/completions sql injection
vuldb·2026-05-08·CVSS 9.3
CVE-2026-42208 [CRITICAL] BerriAI LiteLLM up to 1.83.6 /chat/completions sql injection
A vulnerability classified as critical was found in BerriAI LiteLLM up to 1.83.6. Affected is an unknown function of the file /chat/completions. The manipulation results in sql injection.
This vulnerability was named CVE-2026-42208. The attack may be performed from remote. In addition, an exploit is available.
Upgrading the affected component is advised.
GHSA
LiteLLM has SQL Injection in Proxy API key verification
ghsa·2026-04-24
CVE-2026-42208 [CRITICAL] CWE-89 LiteLLM has SQL Injection in Proxy API key verification
LiteLLM has SQL Injection in Proxy API key verification
### Impact
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted `Authorization` header to any LLM API route (for example `POST /chat/completions`) and reach this query through the proxy's error-handling path.
An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.
### Patches
Fixed in **`1.83.7`**. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to `1.83.7` or later.
### Workarounds
If upgrading is not immediately possible
VulnCheck
Vulnerability
vulncheck·2026
CVE-2026-42208 Vulnerability
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://webflow.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure
CISA
BerriAI LiteLLM SQL Injection Vulnerability
cisa·2026-05-08·CVSS 9.3
CVE-2026-42208 [CRITICAL] CWE-89 BerriAI LiteLLM SQL Injection Vulnerability
Vulnerability: BerriAI LiteLLM SQL Injection Vulnerability
Affected: BerriAI LiteLLM
BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorised access to the proxy and the credentials it manages.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc ; https://nvd.nist.gov/vuln/detail/CVE-2026-42208
Remediation Due Date: 2026-05-11
Red Hat
LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
vendor_redhat·2026-04-28·CVSS 9.8
CVE-2026-42208 [CRITICAL] CWE-89 LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
A flaw was found in LiteLLM. A database query used for proxy API key checks incorrectly incorporated caller-supplied key values directly into the query. This vulnerability allows an unauthenticated attacker to send a specially crafted Authorization header to any Large Language Model (LLM) API route, exploiting the proxy's error-handling path. Successful exploitation could enable the attacker to read and potentially modify data within the proxy's database, leading to unauthorized access to the proxy and its managed credentials.
Statement: This Critical SQL injection vulnerability in LiteLLM's proxy API key verification allows unauthenticated attackers to read and modify database data, leading to unauthorized acc
No detection rules found.
Metasploit
BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner
metasploit·CVSS 9.8
CVE-2026-42208 [CRITICAL] BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner
BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner
This module detects BerriAI LiteLLM proxy servers affected by CVE-2026-42208, an unauthenticated SQL injection. During API-key verification the proxy interpolates the raw Authorization bearer value into a PostgreSQL query (WHERE v.token = '') without parameterization. Because LiteLLM only hashes tokens that begin with "sk-", a bearer value that does not start with "sk-" reaches the query verbatim and is injectable. The failure path that performs the lookup is reachable before authentication. Affected versions are 1.81.16 through 1.83.6 (fixed in 1.83.7). The module confirms the flaw with a benign time-based check built on the framework's PostgreSQL time-based blind SQL injection library. It issues a request whose injected predicate slee
Nuclei
LiteLLM - SQL Injection
nuclei·CVSS 9.3
CVE-2026-42208 [CRITICAL] LiteLLM - SQL Injection
LiteLLM - SQL Injection
LiteLLM 1.81.16 to = 6'
condition: and
# digest: 4a0a00473045022100ba040c375a9568ebbbb57daec8f67f16cfd6a1d9df3ebca3311a70133d5398f2022075194f627efaa38339b23091f7db2c5589eeef6d731bd6c4915c78029bc67a04:922c64590222798bb761d5b6d8e72950
Rapid7
Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more
blogs_rapid7·2026-06-26·CVSS 8.2
CVE-2025-25205 [HIGH] Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more
## Help shape the future of Metasploit Framework
We are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here , and you can submit your responses to the form here . The form will stop accepting responses on the 1st of July, 2026.
New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfo
Hackernews
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-42271 [HIGH] LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2026-42271 (CVSS score: 8.7), is a command injection vulnerability that could allow any authenticated user to run arbitrary commands on the host.
It affects the following version of the LiteLLM Python package -
>= 1.74.2
< 1.83.7
"Two endpoints used to preview an MCP server before saving
Recorded Future
May 2026 CVE Landscape
blogs_recorded_future·2026-06-08
CVE-2026-26980 May 2026 CVE Landscape
## May 2026 CVE Landscape
In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation , all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month.
These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.
The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enter
Checkpoint
4th May – Threat Intelligence Report
blogs_checkpoint·2026-05-04·CVSS 9.9
CVE-2026-26268 [CRITICAL] 4th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat group ShinyHunters claimed the theft of 9 million records, and Medtronic is evaluating what data was expose
Hackernews
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
This week, the shadows moved faster than the patches.
While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.
The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.
Here’s the full week
Talos
Great responsibility, without great power
blogs_talos·2026-04-30
CVE-2026-42208 Great responsibility, without great power
## Great responsibility, without great power
Welcome to this week’s edition of the Threat Source newsletter.
As I’m writing this, today (April 28) is International Superhero Day. If you don’t know the origin story behind this, perhaps you would assume that this day was dreamed up by Marvel. And… you would be correct.
However, it’s not a pure marketing ploy. It all started in 1995, when colleagues in Marvel asked a group of school children what superpower they’d want the most.
Through the discussion, it became clear that the people in the children’s lives were already doing pretty heroic things, without the benefit of Hindsight Lad. (He’s a real Marvel invention — Carlton LaFroyge — whose superpower was to make aggressively obvious observations, delivered too late to matter. I’m sure we
Hackernews
LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
blogs_hackernews·2026-04-29
CVE-2026-42208 LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge.
The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database.
"A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as
Bleepingcomputer
Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
blogs_bleepingcomputer·2026-04-28
CVE-2026-42208 Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
## Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
## Bill Toulas
Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208.
The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route.
This allows reading data from the proxy's database and modifying it. According to the maintainer's security advisory , threat actors could use it for "unauthorised access to the proxy and the credentials it manages."
A fix was delivered in LiteLLM version 1.83.7 to replace string concatenation with parameterized qu
Bugzilla
CVE-2026-42208 LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
bugzilla·2026-04-29
CVE-2026-42208 [CRITICAL] CVE-2026-42208 LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
CVE-2026-42208 LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
Impact
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path.
An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.
Patches
Fixed in 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later.
Workarounds
If upgrading is not immediatel
https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stablehttps://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmchttps://access.redhat.com/security/cve/CVE-2026-42208https://bugzilla.redhat.com/show_bug.cgi?id=2463965https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42208.jsonhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208
2026-05-08
Published
2026-05-08
Added to CISA KEV
Exploited in the wild