In yet another example of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI’s LiteLLM Python package was actively exploited in the wild within 36 hours of the bug becoming public knowledge.
This vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is a SQL injection that can be exploited to modify the underlying LiteLLM proxy database.
“The database query used during proxy API key checking was mixing the caller-specified key value into the query text instead of passing it as a separate parameter,” LiteLLM maintainers said in an alert last week.
“An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (such as POST /chat/completions) and reach this query through the proxy’s error handling path. The attacker could read data from the proxy’s database and potentially modify it, which could lead to unauthorized access to the proxy and the credentials it manages.”
This shortcoming affects the following versions:
Although this vulnerability was addressed in version 1.83.7 stable released on April 19, 2026, the first exploitation attempt was logged on April 26 at 16:17 UTC, approximately 26 hours and 7 minutes after the GitHub advisory was indexed in the global GitHub advisory database. According to Sysdig, the SQL injection activity originated from IP address 65.111.27.[.]132.
“The malicious activity was split into two phases, initiated by the same operator between two adjacent egress IPs, followed by a brief probing of an unauthenticated key management endpoint,” said security researcher Michael Clarke.
Specifically, the unknown attackers allegedly targeted database tables such as ‘litellm_credentials.credential_values’ and ‘litellm_config’ that hold information related to upstream Large Language Model (LLM) provider keys and proxy runtime environments. No probes were observed for tables such as ‘litellm_users’ or ‘litellm_team’.
This suggests that the attackers were not only aware of these tables, but were also targeting tables that held sensitive secrets. In the second phase of the attack, observed 20 minutes later, the attacker used a different IP address (‘65.111.25’)[.]67″), this time exploiting access to perform a similar probe.
LiteLLM is a popular open source AI gateway software with over 45,000 stars and 7,600 forks on GitHub. Last month, the project was the target of a supply chain attack orchestrated by the TeamPCP hacking group to steal credentials and sensitive information from downstream users.
“A single litellm_credentials line often includes an OpenAI organization key with a five-digit monthly spending limit, an Anthropic console key with workspace admin privileges, and AWS Bedrock IAM credentials,” Sysdig said. “The scope of a successful database extraction is more similar to a cloud account compromise than a typical web app SQL injection.”
We recommend that users patch their instances to the latest version. If this is not an immediate option, administrators are encouraged to set “disable_error_logs: true” in “general_settings” to remove the path through which untrusted input can reach vulnerable queries.
“The LiteLLM vulnerability (GHSA-r75f-5x8p-qvmc) continues the modal pattern of AI infrastructure advisories: a five-digit star-in-software advisory that operators rely on to centrally manage critical, pre-authentication, and cloud-grade credentials,” Sysdig added.
“The 36-hour exploit window is consistent with the widespread collapse documented by Zero Day Clock, and the operator actions we recorded (verbatim Prisma table names, targeting of three tables, intentional column count enumeration) indicate that the exploit will no longer wait for a public PoC. The advisory and open source schema were ultimately sufficient.”
Source link
