Ethical Hacking News
A critical vulnerability in BerriAI's popular LiteLLM Python package has been actively exploited in the wild within 36 hours of its public disclosure. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database. Organizations that rely on LiteLLM must take immediate action to patch their instances or implement additional security measures to mitigate the risk.
The LiteLLM Python package has a critical SQL injection vulnerability (CVE-2026-42208) that can be exploited to modify the proxy database. The vulnerability arises from a flawed database query used during API key checks, allowing unauthenticated attackers to access and modify sensitive data. The affected versions of LiteLLM are >=1.81.16 <1.83.7, and the first exploitation attempt was recorded within 36 hours of the public disclosure. Security researcher Michael Clark analyzed the attack and noted that the attacker targeted specific database tables to extract sensitive information. Users are advised to patch their instances to the latest version or set "disable_error_logs: true" to mitigate the risk.
The latest security advisory from BerriAI has highlighted a critical vulnerability in their popular LiteLLM Python package, which has been actively exploited in the wild within 36 hours of its public disclosure. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying LiteLLM proxy database.
According to the BerriAI maintainers, the vulnerability arises from a database query used during proxy API key checks, which mixes the caller-supplied key value into the query text instead of passing it as a separate parameter. This allows an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route and reach this query through the proxy's error-handling path. The attacker can then read data from the proxy's database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages.
The vulnerability affects versions >=1.81.16 <1.83.7 of the LiteLLM package. While the vulnerability was addressed in version 1.83.7-stable released on April 19, 2026, the first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database.
Security researcher Michael Clark analyzed the attack and noted that the unknown threat actor targeted database tables like "litellm_credentials.credential_values" and "litellm_config" that hold information related to upstream large language model (LLM) provider keys and the proxy runtime environment. The attacker also used a different IP address ("65.111.25[.]67") in the second phase of the attack, this time abusing the access to run a similar probe.
LiteLLM is a popular, open-source AI Gateway software with over 45,000 stars and 7,600 forks on GitHub. The project has previously been targeted by supply chain attacks, including one orchestrated by the TeamPCP hacking group to steal credentials and secrets from downstream users.
The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection, according to Sysdig. This highlights the severity of the vulnerability and the potential consequences for organizations that rely on LiteLLM.
Users are advised to patch their instances to the latest version or set "disable_error_logs: true" under "general_settings" to remove the path through which untrusted input reaches the vulnerable query.
The 36-hour exploit window is consistent with the broader collapse documented by the Zero Day Clock, and the operator behavior recorded (verbatim Prisma table names, three-table targeting, deliberate column-count enumeration) shows that exploitation no longer waits for a public PoC. The advisory and the open-source schema were ultimately enough to expose the vulnerability.
In light of this critical security flaw, organizations that rely on LiteLLM must take immediate action to patch their instances or implement additional security measures to mitigate the risk. This includes setting up strict access controls, monitoring database activity for suspicious behavior, and ensuring that all software is up-to-date with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/LiteLLM-SQL-Injection-Vulnerability-A-Critical-Threat-to-AI-Infrastructure-ehn.shtml
https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/
Published: Wed Apr 29 01:26:02 2026 by llama3.2 3B Q4_K_M
