LiteLLM pre-auth SQL injection (CVE-2026-42208)
Vulnerability
Summary
Hide ▲
Show ▼
LiteLLM's CVE-2026-42208 pre-auth SQL injection is being actively exploited, putting proxy databases and stored secrets at risk. The flaw can be triggered without authentication through a crafted Authorization header, allowing attackers to read or modify database content. LiteLLM 1.83.7 fixes the issue, but exposed deployments may already have had credentials and secrets accessed.
Related Happenings
Cursor local SQLite secret-storage exposing credentials security flaw
Vulnerability
First: 29.04.2026 18:00
Last: 29.04.2026 18:00
Sources 1
About this happening:
A **high-severity** **Cursor** flaw lets installed extensions read secrets stored locally, exposing **API keys** and **session tokens** without user interaction. The weakness stem...
Cursor local SQLite secret-storage exposing credentials security flaw
VulnerabilityAbout this happening: A **high-severity** **Cursor** flaw lets installed extensions read secrets stored locally, exposing **API keys** and **session tokens** without user interaction. The weakness stem...
N8n sandbox escape flaws (multiple vulnerabilities)
Vulnerability
First: 04.02.2026 15:00
Last: 04.02.2026 15:00
Sources 1
About this happening:
Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
N8n sandbox escape flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)
Advisory/Mitigation
First: 03.02.2026 18:15
Last: 03.02.2026 18:15
Sources 1
About this happening:
**Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...
Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)
Advisory/MitigationAbout this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...
Timeline
-
29.04.2026 08:34 1 articles · 28d ago
LiteLLM fixed release for CVE-2026-42208
Mitigation Patch UpdateBerriAI released `1.83.7-stable` on April 19, 2026 to address `CVE-2026-42208`, a critical `SQL injection` in LiteLLM proxy API key checks, and recommended setting `disable_error_logs: true` as a workaround when immediate upgrading is not possible.
Show sources
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34
-
29.04.2026 08:34 1 articles · 28d ago
Public disclosure of active CVE-2026-42208 exploitation
Initial DisclosureCVE-2026-42208 in BerriAI's LiteLLM Python package was publicly described as actively exploited within 36 hours of disclosure; the flaw let an unauthenticated attacker send a crafted `Authorization` header to LLM API routes like `POST /chat/completions`, reach the proxy's error-handling path, and read or modify the LiteLLM proxy database and the credentials it manages.
Show sources
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34
-
29.04.2026 00:07 3 articles · 28d ago
Targeted exploitation of LiteLLM SQL injection
Exploitation ObservedResearchers observed targeted exploitation against exposed LiteLLM instances using crafted requests to /chat/completions with a malicious Authorization: Bearer header. The requests queried tables holding API keys, provider credentials for OpenAI, Anthropic, and Bedrock, environment data, and configs, indicating deliberate focus on secret-bearing database contents rather than benign tables.
Show sources
- Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw — www.bleepingcomputer.com — 29.04.2026 00:07
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34
-
29.04.2026 00:07 1 articles · 28d ago
LiteLLM CVE-2026-42208 disclosure and fix guidance
Initial DisclosureLiteLLM disclosed CVE-2026-42208, a critical SQL injection in the proxy API key verification step that can be triggered without authentication by a crafted Authorization header to LLM API routes. The maintainer said LiteLLM version 1.83.7 replaces string concatenation with parameterized queries, and operators of exposed instances should upgrade or, if they cannot, set disable_error_logs: true and rotate virtual API keys, master keys, and provider credentials stored in the proxy database.
Show sources
- Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw — www.bleepingcomputer.com — 29.04.2026 00:07
-
29.04.2026 00:07 3 articles · 28d ago
Targeted exploitation of LiteLLM SQL injection
Exploitation ObservedResearchers observed targeted exploitation against exposed LiteLLM instances using crafted requests to /chat/completions with a malicious Authorization: Bearer header. The requests queried tables holding API keys, provider credentials for OpenAI, Anthropic, and Bedrock, environment data, and configs, indicating deliberate focus on secret-bearing database contents rather than benign tables.
Show sources
- Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw — www.bleepingcomputer.com — 29.04.2026 00:07
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34
- LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure — thehackernews.com — 29.04.2026 08:34