CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of pre-authentication SQL injection in LiteLLM proxy gateways

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM gateway proxy is being actively exploited by threat actors to access and modify sensitive data stored in the proxy's database. The flaw, tracked as CVE-2026-42208, allows unauthenticated attackers to send specially crafted Authorization headers to any LLM API route, enabling read and write access to database contents. Given LiteLLM's role as a middleware layer for managing API keys, credentials, and environment secrets across major providers (e.g., OpenAI, Anthropic, Bedrock), successful exploitation can lead to unauthorized access to credentials and configuration data. The vulnerability arises from insecure string concatenation during API key verification and has been addressed in LiteLLM version 1.83.7 via parameterized queries. Widespread exploitation began approximately 36 hours after public disclosure on April 24, 2026.

Timeline

  1. 29.04.2026 00:07 1 articles · 1h ago

    Active exploitation of CVE-2026-42208 begins within 36 hours of public disclosure

    Sysdig researchers observed targeted exploitation of CVE-2026-42208 starting approximately 36 hours after public disclosure on April 24, 2026. The first phase involved probing the vulnerable '/chat/completions' endpoint with crafted Authorization headers targeting tables containing API keys and provider credentials. The second phase refined payloads and switched IP addresses, focusing on exact table names and structures, indicating reconnaissance and deliberate targeting of sensitive data.

    Show sources
    Open in new tab

Information Snippets

  • The vulnerability (CVE-2026-42208) is a pre-authentication SQL injection flaw in LiteLLM occurring during the API key verification step in the proxy gateway.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • Exploitation does not require authentication and involves sending a maliciously crafted Authorization header to any LLM API route.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • Successful exploitation allows attackers to read and modify data within the LiteLLM proxy's database, including API keys, virtual and master keys, environment variables, and provider credentials.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • LiteLLM version 1.83.7 and later mitigates the issue by replacing string concatenation with parameterized queries in the vulnerable component.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • Active exploitation targeting LiteLLM instances was observed by Sysdig researchers starting approximately 36 hours after public disclosure on April 24, 2026.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • Exploitation attempts specifically queried tables containing provider credentials (e.g., OpenAI, Anthropic, Bedrock), API keys, environment data, and configuration secrets, indicating targeted intent.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • In the second phase of attacks, threat actors switched IP addresses and refined payloads to target exact table structures and names, suggesting prior reconnaissance and knowledge of the database schema.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • LiteLLM serves as a unified API proxy/SDK middleware used by developers to interact with multiple LLM providers and is widely deployed with 45,000 stars and 7,600 forks on GitHub.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources

  • A separate supply-chain attack against LiteLLM occurred recently, where malicious PyPI packages released by TeamPCP deployed an infostealer to harvest credentials and tokens.

    First reported: 29.04.2026 00:07
    1 source, 1 article
    Show sources