Hackers are exploiting a crucial LiteLLM pre-auth SQLi flaw

Hackers are focusing on delicate info saved within the LiteLLM open-source large-language mannequin (LLM) gateway by exploiting a crucial vulnerability  tracked as CVE-2026-42208.

The flaw is an SQL injection subject that happens throughout LiteLLM’s proxy API key verification step. An attacker can exploit it with out authentication by sending a specifically crafted Authorization header to any LLM API route.

This permits studying knowledge from the proxy’s database and modifying it. In line with the maintainer’s security advisory, risk actors might use it for “unauthorised entry to the proxy and the credentials it manages.”

A repair was delivered in LiteLLM model 1.83.7 to switch string concatenation with parameterized queries.

LiteLLM shops API keys, digital and grasp keys, and surroundings/config secrets and techniques, so accessing its database permits hackers to learn delicate knowledge they might then use to launch further assaults.

LiteLLM is a well-liked proxy/SDK middleware layer that allows customers to name AI fashions by way of a single unified API. The undertaking is extensively utilized by builders of LLM apps and platforms managing a number of fashions. It has 45k stars and seven.6k forks on GitHub.

The undertaking has additionally not too long ago been focused in a supply-chain assault, the place TeamPCP hackers launched malicious PyPI packages that deployed an infostealer to reap credentials, tokens, and secrets and techniques from contaminated programs.

In a report from researchers at Sysdig, a cloud security firm, say that CVE-2026-42208 exploitation began roughly 36 hours after the bug was disclosed publicly on April 24.

Lively exploitation exercise

The researchers noticed deliberate and focused exploitation makes an attempt that despatched crafted requests to ‘/chat/completions’ with a malicious ‘Authorization: Bearer’ header.

These requests queried particular tables that contained API keys, supplier (OpenAI, Anthropic, Bedrock) credentials, surroundings knowledge, and configs.

Sysdig defined that there have been no probes in opposition to benign tables, and “the operator went straight to the place the secrets and techniques dwell,” a powerful indicator that the attacker knew precisely what to focus on.

Within the second part of the assault, the risk actor switched IP addresses, seemingly for evasion, reran the identical SQL injection makes an attempt, however targeted on the proper desk names and constructions derived within the earlier part, now utilizing fewer, extra exact payloads.

Sysdig feedback that, whereas 36 hours will not be as fast as exploiting a latest flaw in Marimo, the assaults had been focused and particular.

The researchers warned that uncovered LiteLMM situations nonetheless operating weak variations needs to be handled as probably compromised, and each digital API key, grasp key, and supplier credential saved in internet-exposed LiteLLM situations needs to be rotated.

For many who can’t improve to LiteLLM 1.83.7 and later, the maintainers counsel the workaround of setting ‘disable_error_logs: true’ beneath ‘general_settings’ to dam the trail by which malicious inputs can attain the weak question.