CVE-2026-42208: Critical SQL Injection in BerriAI LiteLLM
Active exploitation confirmed in the wild. CISA added this to the KEV catalog on 2026-05-08. Federal agencies must patch by 2026-05-11.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-42208 |
| CVSS score | 9.8 (Critical) |
| Attack vector | Unauthenticated request with a specially crafted Authorization header to LLM API routes (e.g., POST /chat/completions) |
| Auth required | None (unauthenticated) |
| Patch status | Fixed in LiteLLM 1.83.7; vulnerable in 1.81.16–1.83.6 |
TL;DR - LiteLLM 1.81.16–1.83.6 has a critical SQL injection during proxy API key checks via a crafted
Authorizationheader. - Upgrade to 1.83.7+ immediately; assume database/credential exposure if your instance is internet-facing. - CISA KEV-listed (exploited in the wild) — treat as active threat and hunt for indicators.
Vulnerability at a Glance
CVE-2026-42208 affects BerriAI LiteLLM, an “AI Gateway”/proxy that presents an OpenAI-compatible API surface while brokering calls to upstream LLM providers. The vulnerable code path is reached during proxy API key checks, where a caller-supplied key value is incorrectly mixed into SQL query text rather than being passed as a parameter. This is a classic precondition for SQL injection.
Two operational details matter for defenders. First, the attacker can be unauthenticated and only needs to send HTTP traffic to any exposed LLM API route (NVD cites POST /chat/completions as an example). Second, the vulnerable query is reached via an error-handling path, meaning you should not assume only “valid-looking” requests can trigger it; malformed or intentionally broken authorization input may be enough to reach the dangerous query.
What Is This Vulnerability?
At its core, this is an SQL injection (SQLi) issue in the logic that determines whether a request’s API key is valid. Instead of building a query like SELECT ... WHERE key = ? and binding parameters, the implementation mixes the raw key value into the query text. If an attacker can control that key value (via the HTTP Authorization header), they can potentially alter the SQL statement’s semantics.
The NVD summary is explicit about likely impact: an attacker could read data from the proxy’s database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages. For LiteLLM deployments, this can translate into the compromise of stored API keys/tokens (for upstream LLM providers), internal routing configuration, user/org mappings, usage telemetry, or other sensitive operational data stored in the backing database—depending on how the deployment is configured.
Technical Notes: Root Cause and Reachable Route
Per NVD’s description, exploitation is possible by sending a specially crafted Authorization header to any LLM API route (example: POST /chat/completions) and reaching the vulnerable query through an error-handling path.
Because we do not have the vendor’s exact SQL statement, defenders should assume:
- The payload can be delivered in typical API key formats (Bearer <token>, or other accepted schemes LiteLLM supports).
- The DB backend (SQLite/Postgres/etc.) influences payload shape and error signatures—so detection should focus on behavior and errors rather than DB-specific strings alone.
Who Is Affected?
Affected product: BerriAI LiteLLM (proxy server / AI Gateway)
Affected versions (explicit range): LiteLLM 1.81.16 through 1.83.6.
Fixed version (explicit): LiteLLM 1.83.7 (and later).
This range matters for teams relying on container tags or floating “latest” references. If you pin by major/minor only (for example 1.83.x) you can still be vulnerable if you are on 1.83.6 or earlier. Conversely, simply “being on 1.83” is not sufficient—the fix is specifically in 1.83.7.
Also assume exposure is highest when LiteLLM is: - Internet-facing (directly or behind a permissive reverse proxy), - Reachable from untrusted networks (partner, BYOD, contractor VPN), - Integrated into workflows that store and manage multiple provider credentials (centralized blast radius).
CVSS Score Breakdown (What the 9.8 Implies)
NVD reports a CVSS v3.x base score of 9.8 (Critical), but the vector string was not provided in the tool output available for this write-up. Without the vector, we can’t authoritatively state the individual metrics (AV/AC/PR/UI/S/C/I/A) as scored by NVD.
That said, the narrative details strongly align with why this would be critical in practice: the attack is remote and unauthenticated, it can lead to database read and potentially database modification, and it targets a gateway component that often sits at the center of AI/LLM access control. Even without a published vector string in-hand, security teams should treat this as a high-likelihood, high-impact issue—especially given confirmed exploitation.
Exploitation Status (In the Wild? PoC?)
Exploitation in the wild: Yes. CVE-2026-42208 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating exploitation has been observed. CISA KEV details for this CVE include:
- dateAdded: 2026-05-08
- dueDate: 2026-05-11
- Required action: “Apply mitigations per vendor instructions … or discontinue use…”
Public PoC status: Unknown from the data provided here. The NVD tool output in this session does not state whether a proof-of-concept exploit is publicly available. In absence of confirmed PoC status, defenders should assume: - Exploit tradecraft exists privately (KEV implies real-world use), - Copycat activity may follow quickly if technical details spread.
Technical Notes: What “KEV-listed” Should Trigger Internally
KEV-listed vulnerabilities are routinely integrated into attacker playbooks. Practically, that means you should: - Treat this as time-sensitive incident prevention (patch + restrict exposure), - Conduct retroactive log review and DB integrity checks, - Rotate secrets potentially stored in/accessible through LiteLLM if compromise is suspected.
How to Detect It
Detection for SQL injection against an API gateway has two parallel tracks: (1) web/API request telemetry (reverse proxy logs, WAF, ingress controller), and (2) application/DB error telemetry (exceptions, SQL errors, anomalous queries).
Start by scoping exposure: identify all instances of LiteLLM and all public routes that map to LLM API endpoints (e.g., /chat/completions, /completions, and other OpenAI-like paths used by your clients). Then correlate request logs to determine whether you are seeing unusual Authorization headers, high rates of 4xx/5xx, or user agents associated with scanning.
Technical Notes: Concrete Patterns and Queries
1) NGINX Access Log Hunting
If you log request headers, search for requests to LLM routes with suspicious characters commonly used in SQLi payloads. Example grep patterns:
# Hunt for SQLi metacharacters around Authorization header if captured in logs
grep -E 'POST /chat/completions|/completions' /var/log/nginx/access.log \
| grep -Ei 'authorization|bearer' \
| grep -E "('|%27|--|%2D%2D|;|%3B|/\*|\*/|%2F%2A|%2A%2F)"
If you do not log Authorization headers, focus on response anomalies and request rates:
# Look for bursts of 500s on LLM endpoints
grep -E ' /chat/completions| /completions' /var/log/nginx/access.log \
| awk '$9 ~ /500|502|503/ {print $0}' | head
2) Cloud/ELB/Ingress Query (Generic)
If you have a SIEM, create a query that flags:
- Requests to */chat/completions* or other LLM routes,
- Status codes 4xx/5xx above baseline,
- High cardinality in Authorization values (if logged) or repeated failures from the same source IP.
3) Application / DB Error Pattern
Hunt for generic patterns such as:
- syntax error
- unterminated quoted string
- near "..." (common SQLite)
- SQLSTATE codes (common Postgres)
Mitigation and Patching
The vendor fix is clear: upgrade LiteLLM to 1.83.7 or later. The vulnerable range is explicit (1.81.16–1.83.6), so any instance in that window should be considered immediately at risk.
If you suspect exploitation, assume the attacker could have accessed the proxy database and potentially obtained credentials managed by LiteLLM. The safest response is to rotate credentials for upstream LLM providers and any internal keys stored/used by LiteLLM, then review DB records and configuration for unauthorized changes.
Technical Notes: Concrete Upgrade Commands / Workarounds
1) Upgrade via pip (Python environment)
pip install --upgrade "litellm==1.83.7"
Then restart the service/process manager:
sudo systemctl restart litellm
sudo systemctl status litellm --no-pager
2) Upgrade in Containers (Version Pinning)
Update your deployment manifests to a tag/build that contains LiteLLM 1.83.7.
3) Exposure Reduction Workaround
If you cannot upgrade immediately, reduce exposure while you schedule the patch.
Concrete NGINX example (allowlist only; adjust CIDRs):
location /chat/completions {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://litellm_upstream;
}
Post-Patch Validation and Incident Response Considerations
After upgrading, validate both version and behavior. Confirm the running LiteLLM process is executing 1.83.7+.
Given confirmed exploitation in the wild, consider a lightweight incident response checklist even if you have no alerts: - Review access logs for anomalous traffic to LLM endpoints starting at least from 2026-05-08. - Audit the proxy database for suspicious changes. - Rotate upstream provider keys and any secrets accessible through LiteLLM.
References
- NVD CVE record: NVD CVE-2026-42208
- CISA KEV catalog entry: CISA KEV CVE-2026-42208
- Vendor advisory (GitHub Security Advisory): GitHub Advisory
- Fixed release notes: Release Notes
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.