CISA KEV — LiteLLM CVE-2026-42208 SQL Injection Under Active Exploitation
AI relevance: LiteLLM is the most widely deployed LLM API proxy in enterprise AI stacks, and its compromise exposes every model API key, routing rule, and billing credential routed through it.
What happened
- CISA added CVE-2026-42208 (CVSS 9.3) to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation of the BerriAI LiteLLM proxy.
- The flaw is a SQL injection in the proxy's database layer that allows attackers to read and modify the proxy's internal database, including stored API keys, team configurations, and routing rules.
- Attackers were observed exploiting the vulnerability within 36 hours of public disclosure — a timeline that underscores the urgency for organizations running LiteLLM.
- A prior supply-chain compromise of LiteLLM on PyPI in March 2026 silently stole credentials from every agent routing traffic through the poisoned package, demonstrating that the proxy's position as a credential relay makes it a high-value target.
- The original vulnerability was patched in earlier releases; affected versions must be updated immediately and credentials rotated.
Why it matters
- KEV catalog placement triggers mandatory patching deadlines for US federal agencies under Binding Operational Directive 22-01, but the exploitation window has already passed — attackers don't wait for compliance cycles.
- LiteLLM deployments typically hold API keys for multiple LLM providers (OpenAI, Anthropic, Google), so a single compromised proxy can grant access to dozens of model accounts and their associated billing.
- The combination of supply-chain compromise (PyPI) and runtime exploitation (SQLi) in the same product within weeks shows the AI infrastructure layer is under coordinated pressure from multiple attack vectors.
What to do
- Update LiteLLM to the latest patched version immediately if running any affected release.
- Rotate all API keys, service account credentials, and team tokens stored in or accessible through the LiteLLM proxy.
- Audit proxy database logs for unauthorized queries or configuration changes during the exploitation window.
- Verify that no poisoned LiteLLM packages from the March 2026 PyPI incident remain installed.