CVE-2026-42208: Pre-Auth SQLi Actively Exploited in LiteLLM

Threat actors are actively exploiting a critical pre-authentication SQL injection vulnerability in LiteLLM, an open-source gateway used to manage access to language models. Security researchers reported the active exploitation on April 28, 2026, observing targeted attacks designed to extract master API keys and cloud provider credentials. The flaw allows unauthenticated HTTP clients to execute arbitrary SQL commands against the proxy’s underlying PostgreSQL database.

The Injection Mechanism

The vulnerability, tracked as CVE-2026-42208, stems from a flaw in the proxy API key verification step. In affected versions of LiteLLM, the value supplied in the Authorization: Bearer header is concatenated directly into a SQL SELECT statement without proper parameter binding.

By inserting a single quote into the authorization header, such as sk-litellm', an attacker breaks out of the intended query against the LiteLLM_VerificationToken table. Because this injection occurs during the initial authentication check, the attack is fully pre-authentication. Any external client that can reach the default LiteLLM proxy port can append arbitrary SQL commands to the execution path.

Exfiltration Scope

Sysdig Threat Research detected the first exploitation attempts approximately 36 hours and seven minutes after the vulnerability was indexed in the GitHub Advisory Database on April 24, 2026. The observed threat actors utilized IP rotation to evade basic rate limits and demonstrated prior knowledge of the internal LiteLLM schema.

Attackers executed UNION SELECT statements coupled with column-count enumeration to exfiltrate data from three specific tables:

• LiteLLM_VerificationToken: Contains virtual API keys and the master key.
• litellm_credentials: Holds stored provider credentials for upstream services like OpenAI, Anthropic, and AWS Bedrock.
• litellm_config: Stores proxy environment variables and runtime configurations.

The immediate impact of a successful breach is comprehensive cloud account compromise. By design, LiteLLM centralizes billing and access for multiple paid AI providers. Once threat actors extract the master key, they can replay requests against the /chat/completions endpoint from any external IP address, bypassing internal access controls.

Remediation Path

This incident follows a separate security event in late March 2026 involving malicious PyPI packages published by the TeamPCP group. Following that supply-chain breach, the LiteLLM maintainers initiated a comprehensive security audit with Veria Labs.

The maintainers have released LiteLLM version 1.83.7 to resolve CVE-2026-42208 by replacing the vulnerable string concatenation with parameterized queries. The flaw affects versions 1.81.16 through 1.83.6.

Administrators operating internet-facing instances must upgrade to version 1.83.7 immediately. All virtual API keys, master keys, and upstream provider credentials stored in the database must be rotated, as logging alone cannot definitively rule out exfiltration prior to patching. For deployments unable to upgrade immediately, setting disable_error_logs: true under general_settings blocks the specific path through which malicious inputs reach the vulnerable query.