securityaffairs.com 4/29/2026, 9:11:29 PM · via preferred

LiteLLM flaw CVE-2026-42208 exploited within hours of disclosure

LiteLLM flaw CVE-2026-42208 exploited within hours of disclosure
Developing story vulnerability 5 articles tracked
LiteLLM SQL injection vulnerability (CVE-2026-42208) actively exploited
CyberSIXT Evidence Panel
Primary Source sysdig.com
CISA KEV Not in KEV
Patch Patch Status Unknown

ATTACKERS rapidly weaponised a critical flaw in LiteLLM, CVE-2026-42208, to access and potentially modify database data via SQL injection just days after disclosure, according to the article.

The vulnerability resides in LiteLLM’s proxy API key verification, where the user-supplied key is inserted directly into a query rather than passed as a parameter, enabling unauthenticated exploitation by sending a crafted Authorization header to endpoints such as POST /chat/completions and reaching the query through the proxy’s error-handling path.

The flaw affects LiteLLM versions 1.81.16 to 1.83.6 and was fixed in 1.83.7 on 19 April 2026; Sysdig Threat Research Team observed exploitation about 36 hours after the advisory was published to the global database. Real-world attacks targeted sensitive information in the proxy’s database, though researchers noted no signs of data theft or follow-through at the time.

The report highlights rapid, targeted schema-enumeration of high-value tables holding virtual API keys, stored provider credentials, and the proxy’s environment-variable configuration, underscoring the speed and precision of the attack. according to BerriAI’s advisory.

View Primary Source Via securityaffairs.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline