Ethical Hacking News
U.S. CISA Adds BerriAI LiteLLM Vulnerability to Known Exploited Vulnerabilities Catalog, Warns Federal Agencies of Imminent Threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the BerriAI LiteLLM Python package to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address the issue by May 11, 2026. The vulnerability, an SQL injection in the proxy API key verification process, allows attackers to access and potentially modify database data, putting sensitive information at risk.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the BerriAI LiteLLM Python package to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2026-42208, is an SQL injection in the proxy API key verification process with a CVSS score of 9.3. Attackers began exploiting this vulnerability just 36 hours after its public disclosure on April 19, 2026. The vulnerability allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized access and manipulation of sensitive data. CISA has issued a warning for federal agencies to address the vulnerability by May 11, 2026.
In a move aimed at bolstering the security posture of federal agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken the proactive step of adding a critical vulnerability in the BerriAI LiteLLM Python package to its Known Exploited Vulnerabilities (KEV) catalog. This development serves as a stark reminder of the ever-evolving threat landscape that federal agencies must navigate to safeguard their networks and sensitive information.
The added vulnerability, designated as CVE-2026-42208 with a CVSS score of 9.3, represents an SQL injection in the proxy API key verification process of the LiteLLM package. This critical flaw allows attackers to inject malicious SQL code into the database query, potentially leading to unauthorized access and manipulation of sensitive data.
According to researchers at Sysdig Threat Research Team (TRT), attackers began exploiting this vulnerability just 36 hours after its public disclosure on April 19, 2026. The swift exploitation of such a critical flaw underscores the importance of addressing known vulnerabilities promptly and taking proactive measures to fortify network security.
The TRT observed that the initial attacks targeted sensitive information stored in database tables, specifically the virtual API keys, stored provider credentials, and proxy environment-variable configuration. These high-value targets suggest that attackers were attempting to exfiltrate or modify critical data, highlighting the severity of this vulnerability.
Notably, researchers did not observe any follow-through attacks, such as data theft or further compromise, after exploiting the initial vulnerability. However, this does not necessarily mitigate the threat posed by the vulnerability, as it could still be used for future targeted attacks.
CISA has issued a warning to federal agencies, emphasizing the need to address this vulnerability by May 11, 2026. The agency's directive falls in line with the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which requires FCEB agencies to address identified vulnerabilities by their due dates.
Experts and security professionals recommend that private organizations reviewing the CISA catalog and addressing the vulnerability in their infrastructure. Users who cannot upgrade their installs are advised to enable disable_error_logs: true in general settings to block the attack path and reduce exposure.
In conclusion, the addition of the BerriAI LiteLLM vulnerability to the KEV catalog underscores the pressing need for federal agencies and private organizations to prioritize vulnerability patching and security enhancements. By taking proactive measures to address known vulnerabilities like this one, these entities can significantly mitigate the risk of targeted attacks and safeguard their sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-BerriAI-LiteLLM-Vulnerability-to-Known-Exploited-Vulnerabilities-Catalog-A-Growing-Threat-Landscape-for-Federal-Agencies-ehn.shtml
https://securityaffairs.com/191964/security/u-s-cisa-adds-a-flaw-in-berriai-litellm-to-its-known-exploited-vulnerabilities-catalog.html
https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42208
https://www.cvedetails.com/cve/CVE-2026-42208/
Published: Mon May 11 05:35:14 2026 by llama3.2 3B Q4_K_M
