cbcvebase.
CVE-2026-42208
published 2026-05-08

CVE-2026-42208: LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-11
Exploited in the wild
EPSS
84.52%
99.7th percentile
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Affected

7 ranges
VendorProductVersion rangeFixed in
ansible-automation-platform-26lightspeed-chatbot-rhel9
berriailitellm
lightspeed-corelightspeed-stack-rhel9
litellmlitellm>= 1.81.16 < 1.83.71.83.7
litellmlitellm>= 1.81.16 < 1.83.71.83.7
rhoaiodh-llama-stack-core-rhel9
rhoaiodh-mlflow-rhel9

Detection & IOCsextracted from sources · hover to see the quote

ip65.111.27.132
ip65.111.25.67
pathscanner/http/litellm_proxy_sqli
  • Monitor for SQL injection attempts via crafted Authorization: Bearer headers on any LLM API route, particularly POST /chat/completions, targeting LiteLLM proxy versions >=1.81.16 and <1.83.7.
  • Alert on database queries targeting the tables 'litellm_credentials.credential_values' and 'litellm_config', which hold upstream LLM provider keys and proxy runtime environment data — these were the specific tables targeted by the observed threat actor.
  • Detect attacker pivot behavior: a switch to a second source IP after an initial reconnaissance phase, reusing the same SQL injection payloads with more precise table/column targeting — indicative of a two-phase exploitation pattern observed in the wild.
  • The exploitation path runs through the proxy's error-handling code. Enabling 'disable_error_logs: true' under 'general_settings' blocks the path through which untrusted input reaches the vulnerable query — absence of this setting on internet-exposed instances is a risk indicator.
  • Check Point IPS signature 'LiteLLM SQL Injection (CVE-2026-42208)' is available for network-level detection of exploitation attempts.
  • The vulnerability is on the CISA KEV list (CVSS 9.3, pre-auth). Treat any internet-exposed LiteLLM instance running versions >=1.81.16 and <1.83.7 as potentially compromised; rotate all virtual API keys, master keys, and provider credentials stored in the proxy.
  • ·The vulnerability is exploitable only through the proxy's error-handling path. Setting 'disable_error_logs: true' under 'general_settings' is a documented workaround that removes the vulnerable code path when immediate patching to v1.83.7 is not possible.
  • ·The root cause is string concatenation of caller-supplied key values into SQL query text rather than parameterized queries. The fix in v1.83.7 replaces string concatenation with parameterized queries.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
cisa9.3CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.