A critical security flaw in the LiteLLM Python package has been rapidly exploited by threat actors shortly after its public disclosure, highlighting the growing speed at which attackers weaponize newly revealed vulnerabilities.
The issue, tracked as CVE-2026-42208 with a severity score of 9.3, affects LiteLLM, an open-source AI gateway developed by BerriAI.
Nature of the Vulnerability
The flaw is an SQL injection vulnerability that exists within LiteLLM’s proxy component. It arises from improper handling of user-supplied input during database queries.
Instead of safely parameterizing API key values, the application directly incorporates them into SQL statements. This allows attackers to manipulate queries by injecting malicious input through crafted HTTP headers.
Attack Method and Entry Point
Attackers can exploit the flaw by sending specially crafted Authorization headers to API endpoints such as /chat/completions. These requests are routed through an error-handling mechanism that unintentionally exposes the vulnerable query.
Because the attack does not require authentication, it significantly increases the risk, enabling unauthorized users to:
- Access sensitive database records
- Modify stored data
- Potentially gain control over API credentials
Affected Versions and Patch Availability
The vulnerability impacts LiteLLM versions starting from 1.81.16 up to, but not including, 1.83.7.
A fix was released in version 1.83.7-stable on April 19, 2026. However, exploitation attempts began less than two days later, demonstrating the narrow window between disclosure and active attacks.
Observed Exploitation Activity
Security researchers from Sysdig reported that malicious activity began within approximately 36 hours of the vulnerability becoming publicly known.
Initial attacks originated from one IP address, followed by a second phase using a different source. The attacker focused on extracting sensitive information from specific database tables, particularly those storing API keys and configuration data.
Notably, the activity targeted tables containing credentials for external AI services, indicating a clear intent to obtain high-value secrets.
High-Value Targets and Risk Exposure
The compromised database entries often contain critical credentials, including:
- API keys for large language model providers
- Cloud service authentication details
- Administrative access tokens
A successful breach could provide attackers with extensive access to cloud-based resources, making the impact comparable to a full cloud account compromise.
Previous Security Concerns
LiteLLM has previously been targeted in a supply chain attack linked to the TeamPCP group, emphasizing its attractiveness as a high-value target within the AI ecosystem.
Mitigation and Recommendations
Users are strongly urged to update to the latest patched version immediately.
For environments where patching cannot be applied right away, maintainers recommend disabling error logs to block the vulnerable execution path.
Additional security measures include:
- Monitoring API activity for unusual requests
- Restricting access to sensitive endpoints
- Rotating exposed credentials
- Conducting regular security audits
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
