A severe vulnerability in the open source AI gateway LiteLLM was exploited just days after it was publicly disclosed, according to reports by Sysdig. This issue, identified as CVE-2026-42208 with a critical CVSS score of 9.3, allowed unauthorized access to sensitive database tables.
Details of the Security Flaw
The vulnerability, classified as an SQL injection, was detected during the proxy API key verification stage. LiteLLM’s maintainers noted in an advisory issued on April 20 that a database query was compromised by not treating the caller-supplied value as a separate parameter, which led to its inclusion in the query directly.
This flaw enabled attackers to send manipulated Authorization headers to any LLM API route, exploiting the proxy’s error-handling path. According to Sysdig, the injection occurs before authentication is determined, meaning any HTTP client with access to the proxy port could potentially exploit it.
Exploitation and Impact
By leveraging this vulnerability, attackers gained access to the LiteLLM proxy’s database, potentially allowing them to read and alter data, including leaking stored credentials. Sysdig reported that the advisory was recognized in the GitHub Advisory database on April 24, and related attacks were observed shortly thereafter, within a mere 36 hours.
Attackers specifically targeted three database tables holding sensitive data like API keys, provider credentials, and proxy configuration variables. The methodical nature of the attacks, utilizing knowledge of LiteLLM’s PostgreSQL identifier casing, was noted, although no further misuse of the extracted data has been reported.
Response and Mitigation
The observed attacks occurred 21 minutes apart and appeared to be automated, using identical payloads with varying origin IPs. Sysdig highlighted the rapid and precise nature of the attack schema as a significant finding, rather than a confirmed system compromise.
The vulnerability has been addressed in LiteLLM version 1.83.7, which ensures that input values are now always passed separately. Users are strongly encouraged to update to this patched version immediately or disable error logging as a temporary measure to prevent exploitation.
Related advisories and updates underscore the ongoing necessity for timely security patches in software ecosystems, citing vulnerabilities like those found in OpenEMR and updates in browsers such as Chrome and Firefox.
