Full Report
Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. [...]
Analysis Summary
# Vulnerability: Pre-authentication SQL Injection in LiteLLM
## CVE Details
- **CVE ID**: CVE-2026-42208
- **CVSS Score**: Not explicitly listed, but categorized as **Critical**
- **CWE**: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products**: LiteLLM (Open-source LLM gateway proxy/SDK)
- **Versions**: Versions prior to 1.83.7
- **Configurations**: Internet-exposed LiteLLM instances using the proxy API key verification feature.
## Vulnerability Description
A critical SQL injection (SQLi) vulnerability exists in the LiteLLM proxy during the API key verification process. The flaw stems from the use of string concatenation rather than parameterized queries when processing the `Authorization` header. An unauthenticated attacker can inject malicious SQL commands via a specially crafted `Authorization: Bearer` header sent to any LLM API route (e.g., `/chat/completions`).
## Exploitation
- **Status**: **Exploited in the wild**. Active exploitation was observed within 36 hours of public disclosure.
- **Complexity**: Low (Targeted attacks observed using precise payloads for specific table structures).
- **Attack Vector**: Network (Remote, pre-authentication).
- **PoC Available**: Yes (Methodology described by researchers involving crafted headers).
## Impact
- **Confidentiality**: **High**. Attackers can read sensitive data including virtual keys, master keys, provider credentials (OpenAI, Anthropic, Bedrock), and environment/config secrets.
- **Integrity**: **High**. The vulnerability allows for the modification of data within the proxy's database.
- **Availability**: **Medium** (Potential for database corruption or unauthorized configuration changes).
## Remediation
### Patches
- **Update to LiteLLM version 1.83.7 or later.** This version replaces vulnerable string concatenation with secure parameterized queries.
### Workarounds
- Set `disable_error_logs: true` under `general_settings` in the configuration. This blocks the specific code path through which malicious inputs reach the vulnerable query.
- **Credential Rotation**: If a vulnerable instance was internet-exposed, treat it as compromised. Rotate all virtual API keys, master keys, and provider credentials immediately.
## Detection
- **Indicators of Compromise (IoCs)**:
- Unusual SQL syntax or database table names (API key tables, credential tables) appearing in HTTP `Authorization` headers.
- Requests to `/chat/completions` with abnormally long or complex Bearer tokens.
- **Detection Methods**:
- Review web server/proxy logs for suspicious SQL patterns in headers.
- Monitor for unauthorized access to downstream LLM providers (OpenAI, AWS, etc.) using keys stored in LiteLLM.
## References
- Vendor Advisory: [https://github[.]com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc]
- Sysdig Research: [Reference to Sysdig's exploitation report]
- Project Repository: [https://github[.]com/BerriAI/litellm]