LiteLLM Pre-Auth SQL Injection Exploited Within 36 Hours

AI relevance: LiteLLM is the most widely deployed open-source LLM proxy gateway, serving as the authentication and routing layer between applications and model providers — any compromise of its auth path directly exposes every connected AI service and its credentials.

What happened

• CVE-2026-42208 (GHSA-r75f-5x8p-qvmc) is a critical pre-authentication SQL injection in LiteLLM's Authorization header handling. The Authorization: Bearer value is concatenated directly into a PostgreSQL query without parameterization, allowing arbitrary SELECT statements from any unauthenticated HTTP client that can reach the proxy port.
• The advisory was indexed in the GitHub Advisory Database on 2026-04-24. Sysdig's Threat Research Team observed the first exploitation attempt just 36 hours and 7 minutes later, on 2026-04-26 at 04:24 UTC.
• Attacks used precise UNION-based payloads targeting three specific tables: LiteLLM_VerificationToken (virtual and master API keys), litellm_credentials (upstream provider credentials), and litellm_config (environment variables and database connection strings).
• Operators demonstrated schema-level knowledge — using Prisma PascalCase table names and textbook column-count enumeration — suggesting either prior access to the LiteLLM codebase or deliberate reconnaissance, possibly LLM-assisted.
• Exploitation sources rotated across adjacent /22 IPs in AS200373 (3xK Tech GmbH), using a consistent Python/3.12 aiohttp/3.9.1 user-agent string.
• After SQLi attempts, operators probed /key/generate and /key/info endpoints, suggesting follow-on authentication testing with exfiltrated keys.
• Multiple related LiteLLM vulnerabilities form an RCE chain: CVE-2026-42203 (authenticated command execution via MCP stdio test endpoints, GHSA-v4p8-mg3p-g94g) and CVE-2026-42271, together enabling full system compromise of exposed instances.
• runZero and Assured published guidance for discovering impacted LiteLLM assets across enterprise networks, noting that many teams lack runtime visibility into whether their gateway instances are doing something they should not.
• LiteLLM receives over 3 million daily PyPI downloads, making it one of the highest-impact targets in the AI infrastructure supply chain.

Why it matters

The speed of exploitation — 36 hours from advisory to active, schema-aware attacks — demonstrates that AI infrastructure is a high-priority target. Exfiltrated virtual or master API keys can be replayed to /chat/completions from any IP, granting unlimited access to every upstream model provider configured in the proxy. When combined with the authenticated command execution vulnerability (CVE-2026-42203), the full chain delivers unauthenticated entry through to remote code execution on the host.

What to do

• Update immediately to LiteLLM v1.83.7 or later, which enforces proper query parameterization.
• Rotate all credentials — virtual API keys, master keys, and upstream provider credentials — for any internet-reachable LiteLLM instance running a vulnerable version. Treat exposed instances as compromised.
• Restrict network access — place LiteLLM behind an authenticated reverse proxy and block direct access to the proxy port from untrusted networks.
• Monitor for IOCs — watch for Authorization: Bearer headers beginning with sk-litellm', UNION SELECT payloads in request bodies, and requests from AS200373.
• Scan your fleet — use runZero's LiteLLM detection guidance or asset inventory tools to identify all running instances, including shadow deployments.

Links

• Sysdig: CVE-2026-42208 analysis
• runZero: LiteLLM Proxy vulnerabilities and asset discovery
• GitHub Advisory: GHSA-r75f-5x8p-qvmc
• Assured: AI Autopsy — LiteLLM backdoor analysis