A critical security vulnerability in BerriAI’s LiteLLM Python package has been exploited in the wild within just 36 hours following its public disclosure. This vulnerability, identified as CVE-2026-42208 and carrying a CVSS score of 9.3, is a severe SQL injection flaw that allows attackers to manipulate the LiteLLM proxy database.
Details of the LiteLLM Vulnerability
The security flaw stems from improper handling of API key checks, where a database query was constructed by directly inserting a user-supplied key into the query text. This oversight enables an unauthenticated attacker to send a crafted Authorization header to any LLM API route, such as POST /chat/completions, allowing them to interact with the database through the proxy’s error-handling path. Consequently, attackers could potentially read or alter sensitive data, gaining unauthorized access to the proxy and its managed credentials.
Recorded Exploitation Attempts
The issue was addressed in version 1.83.7-stable of LiteLLM, released on April 19, 2026. However, exploitation attempts were detected shortly after, with the first recorded attack occurring on April 26. The malicious activities originated from the IP address 65.111.27[.]132, carrying out two phases of attacks. The attacker targeted specific database tables containing sensitive information, indicating a deep understanding of the database structure.
Initially, the threat actor focused on tables such as “litellm_credentials.credential_values” and “litellm_config,” which store vital information about upstream LLM provider keys and the proxy environment. In a subsequent phase, the attacker switched to a different IP address, 65.111.25[.]67, to conduct further probing activities.
Impact and Recommendations
LiteLLM is a widely used open-source AI Gateway software, boasting over 45,000 stars and 7,600 forks on GitHub. The potential impact of this vulnerability is significant, as a successful database breach could lead to a cloud-account compromise, akin to a supply chain attack. Users are strongly urged to update their LiteLLM instances to the latest version. If immediate updating is not feasible, disabling error logs is recommended to prevent vulnerable query paths from being exploited.
The rapid exploitation of this vulnerability highlights the increasing speed at which attackers leverage newly disclosed flaws, emphasizing the need for prompt patching and vigilant security practices in managing open-source software dependencies.
As the cybersecurity landscape evolves, organizations must remain proactive in addressing vulnerabilities and safeguarding their digital assets against such swift and sophisticated threats.
