In one more occasion of risk actors rapidly leaping on the exploitation bandwagon, a newly disclosed important security flaw in BerriAI’s LiteLLM Python package deal has come beneath lively exploitation within the wild inside 36 hours of the bug changing into public data.
The vulnerability, tracked as CVE-2026-42208 (CVSS rating: 9.3), is an SQL injection that could possibly be exploited to switch the underlying LiteLLM proxy database.
“A database question used throughout proxy API key checks combined the caller-supplied key worth into the question textual content as an alternative of passing it as a separate parameter,” LiteLLM maintainers mentioned in an alert final week.
“An unauthenticated attacker might ship a specifically crafted Authorization header to any LLM API route (for instance, POST /chat/completions) and attain this question by the proxy’s error-handling path. An attacker might learn knowledge from the proxy’s database and might be able to modify it, resulting in unauthorized entry to the proxy and the credentials it manages.”
The shortcoming impacts the next variations –
Whereas the vulnerability was addressed in model 1.83.7-stable launched on April 19, 2026, the primary exploitation try was recorded on April 26 at 16:17 UTC, roughly 26 hours and 7 minutes after the GitHub advisory was listed within the world GitHub Advisory Database. The SQL injection exercise, per Sysdig, originated from the IP handle 65.111.27[.]132.
“Malicious exercise fell into two phases pushed by the identical operator throughout two adjoining egress IPs, adopted by a quick unauthenticated probe of the key-management endpoints,” security researcher Michael Clark mentioned.
Particularly, the unknown risk actor is claimed to have focused database tables like “litellm_credentials.credential_values” and “litellm_config” that maintain info associated to upstream massive language mannequin (LLM) supplier keys and the proxy runtime surroundings. No probes had been noticed towards tables like “litellm_users” or “litellm_team.”
This means that the attacker was not solely conscious of those tables, but in addition went after people who maintain delicate secrets and techniques. Within the second part of the assault, noticed after 20 minutes, the risk actor used a unique IP handle (“65.111.25[.]67”), this time abusing the entry to run the same probe.
LiteLLM is a well-liked, open-source AI Gateway software program with over 45,000 stars and seven,600 forks on GitHub. Final month, the undertaking was the goal of a provide chain assault orchestrated by the TeamPCP hacking group to steal credentials and secrets and techniques from downstream customers.
“A single litellm_credentials row typically holds an OpenAI group key with five-figure month-to-month spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential,” Sysdig mentioned. “The blast radius of a profitable database extraction is nearer to a cloud-account compromise than a typical web-app SQL injection.”
Customers are suggested to patch their cases to the most recent model. If this isn’t a right away possibility, the maintainers suggest setting “disable_error_logs: true” beneath “general_settings” to take away the trail by which untrusted enter reaches the susceptible question.
“The LiteLLM vulnerability (GHSA-r75f-5x8p-qvmc) continues the modal sample for AI-infrastructure advisories: important, pre-auth, and in software program with five-figure star counts that operators belief to centralize cloud-grade credentials,” Sysdig added.
“The 36-hour exploit window is per the broader collapse documented by the Zero Day Clock, and the operator habits we recorded (verbatim Prisma desk names, three-table focusing on, deliberate column-count enumeration) reveals that exploitation not waits for a public PoC. The advisory and the open-source schema had been in the end sufficient.”
