Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild

A critical pre-authentication SQL injection vulnerability, tracked as CVE-2026-42208, has been discovered in the widely used LiteLLM gateway, exposing sensitive backend databases to unauthorized access.

Security researchers have confirmed that threat actors are already actively exploiting this flaw to steal high-value secrets, including API keys and provider credentials.

Overview of the Vulnerability

LiteLLM is an open-source proxy designed to connect applications with large language models from providers such as OpenAI and Anthropic.

The vulnerability stems from improper handling of the Authorization: Bearer header during authentication checks.

Due to a failure to implement parameterized queries, user-supplied input is directly processed by the backend database.

This allows attackers to inject malicious SQL commands. Since the flaw exists in a pre-authentication component, attackers do not require valid credentials to exploit it.

Any exposed LiteLLM instance accessible over the internet becomes an easy target. Attackers can execute arbitrary SQL queries, retrieve sensitive data, and potentially manipulate backend configurations.

The issue was first disclosed in the LiteLLM repository on April 20, 2026, and quickly indexed in public vulnerability databases.

According to Sysdig, attackers began developing tailored exploits almost immediately after disclosure, indicating a high level of interest in AI infrastructure.

Threat researchers observed the first exploitation attempts within just 36 hours of public disclosure. Unlike traditional automated SQL injection campaigns, these attacks were highly targeted and precise.

Attackers demonstrated knowledge of LiteLLM’s internal schema by using column enumeration techniques to map database structures.

They also rotated IP addresses to evade detection and maintain persistence.

The primary goal of these attacks is to extract sensitive data from key tables, including:

• LiteLLM_VerificationToken: Stores virtual API and master keys, enabling attackers to reuse them from any location.
• litellm_credentials: Contains upstream provider credentials, granting access to costly and high-privilege AI services.
• litellm_config: Holds environment configurations, including database connections and runtime settings.

This level of access can lead to severe operational and financial impact, as AI gateways often serve as centralized access points for enterprise-scale services.

Administrators are strongly advised to upgrade immediately to LiteLLM version 1.83.7, which fixes the vulnerability by enforcing proper query parameterization.

Any system running a vulnerable version and exposed to the internet should be treated as potentially compromised.

Security teams should:

• Rotate all API keys and credentials stored within LiteLLM.
• Audit database access logs for suspicious queries.
• Restrict external access to LiteLLM instances where possible.
• Monitor threat intelligence sources for ongoing exploitation activity.

This incident highlights how quickly attackers weaponize newly disclosed vulnerabilities, especially those affecting AI infrastructure.

Relying solely on standard vulnerability databases may delay response, making proactive monitoring and rapid patching essential.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild appeared first on Cyber Security News.