A critical pre-authentication SQL injection vulnerability, tracked as CVE-2026-42208, has been discovered in the widely deployed LiteLLM AI gateway, exposing sensitive backend databases to unauthorized access.
Security researchers have confirmed that threat actors are already actively exploiting this flaw to steal high-value secrets, including API keys and provider credentials.
LiteLLM refers to a popular open-source proxy that connects applications to large language model (LLM) providers such as OpenAI and Anthropic.
Its centralized role in enterprise AI infrastructure makes it an exceptionally high-value target for attackers seeking to compromise AI-powered pipelines at scale.
The flaw originates from improper handling of the Authorization: Bearer header during authentication checks.
Due to a failure to implement parameterized queries, user-supplied input is processed directly by the backend database, enabling attackers to inject malicious SQL commands without any valid credentials.
Because the vulnerability exists in a pre-authentication component, any internet-exposed LiteLLM instance is an easy target. Attackers can execute arbitrary SQL queries, retrieve sensitive data, and manipulate backend configurations entirely unauthenticated.
The issue was first disclosed in the LiteLLM repository on April 20, 2026, and was quickly indexed across public vulnerability databases.
According to Sysdig, threat actors began developing tailored exploits almost immediately following disclosure, with the first active exploitation attempts observed within just 36 hours.
This timeline underscores the extraordinary interest attackers have in compromising AI infrastructure. Unlike typical automated SQL injection campaigns, these attacks were highly targeted and precise.
Threat researchers noted that attackers demonstrated prior knowledge of LiteLLM’s internal database schema, using column enumeration techniques to map its database structure systematically. They also rotated IP addresses to evade detection and maintain persistent access.
The primary objective of these attacks is to extract sensitive data from three critical tables:
- LiteLLM_VerificationToken — Stores virtual API and master keys, allowing attackers to reuse them from any location
- litellm_credentials — Contains upstream provider credentials, granting unauthorized access to costly, high-privilege AI services
- litellm_config — Holds environment configurations, including database connections and runtime settings
This level of access can result in significant operational and financial damage, as AI gateways typically serve as centralized access points for enterprise-scale services.
Mitigation
Administrators are strongly advised to upgrade immediately to LiteLLM version 1.83.7, which resolves the vulnerability by enforcing proper query parameterization. Any system running a vulnerable version and exposed to the internet should be treated as potentially compromised.
Security teams should take the following steps:
- Rotate all API keys and credentials stored within LiteLLM immediately
- Audit database access logs for anomalous or unexpected queries
- Restrict external access to LiteLLM instances wherever operationally feasible
- Monitor threat intelligence sources for ongoing exploitation activity related to this CVE
CVE-2026-42208 is a stark reminder of how swiftly attackers weaponize newly disclosed vulnerabilities, particularly those affecting AI infrastructure.
Relying solely on standard vulnerability databases can introduce dangerous delays. Proactive monitoring, rapid patch deployment, and credential rotation remain essential defenses in today’s threat landscape.
No Comment! Be the first one.