ON 8 May 2026 the Cybersecurity and Infrastructure Security Agency added CVE-2026-42208 to its Known Exploited Vulnerabilities catalogue after confirming active exploitation in the wild, according to an update published on its site CISA Adds One Known Exploited Vulnerability to Catalog. The flaw affects BerriAI's LiteLLM open-source AI gateway and is rated Critical with a CVSS v3.1 score of 9.3. It permits unauthenticated attackers to inject SQL through the proxy's API-key verification routine, potentially exposing or altering sensitive data stored in the backend database. The addition triggers mandatory remediation timelines for US federal agencies under BOD-22-01.
CVE-2026-42208 is a classic injection vulnerability where the user-supplied Authorization header value is concatenated directly into an SQL statement rather than being passed as a parameter, a mistake present in LiteLLM versions 1.81.16 through 1.83.6. The issue was patched in release 1.83.7 on 19 April 2026, which introduced proper parametrised queries for the key-check routine. Because the vulnerable code runs before authentication, any attacker able to reach the LiteLLM proxy port can send a crafted header to endpoints such as POST /chat/completions and manipulate the underlying database. The NVD entry describes the impact as possible read, write or administrative operations on the proxy's data store NVD - CVE-2026-42208.
Threat researchers observed the first exploitation attempt roughly 36 hours after the public disclosure, with Sysdig's threat-research team logging activity from IP address 65.111.27.132 on 26 April 2026 at 16:17 UTC Sysdig blog. Attackers used a specially crafted Authorization payload that triggered the vulnerable query path, allowing them to extract tables containing API keys, user credentials and model-usage logs. Similar details were reported by SecurityAffairs, SecurityWeek and The Hacker News, all noting that the flaw was weaponised within days of the advisory and that no authentication was required to succeed SecurityAffairs SecurityWeek The Hacker News.
No specific threat-actor group has been attributed to the observed activity, but the speed of the campaign highlights how opportunistic actors are scanning for newly disclosed flaws in widely used AI infrastructure. The incident fits a broader trend of attackers targeting LLM proxies and gateway components to harvest credentials that can be pivoted into larger environments.
CISA's inclusion of the vulnerability in the KEV catalogue highlights the risk to federal networks and obliges agencies to apply the fix within the timeframe set by BOD-22-01, while also encouraging private-sector owners to prioritize mitigation.
Defenders should immediately upgrade any LiteLLM deployment to version 1.83.7 or later, as the patch eliminates the unsafe string concatenation in the authentication query. Where immediate upgrade is not possible, administrators can apply a temporary web-application-firewall rule that blocks Authorization headers containing SQL keywords such as SELECT, UNION, INSERT, UPDATE or DELETE, or that rejects requests with anomalous length or special characters.
Reviewing proxy access logs for unexpected database error messages or unusual query patterns can help identify attempted exploitation. Additionally, enforcing network segmentation so that the LiteLLM proxy is not directly reachable from untrusted zones reduces the attack surface.
Maintaining an accurate inventory of all AI-gateway services and checking them against the KEV catalogue on a regular basis ensures that future critical flaws are not missed. Organisations should also validate that other components using similar API-key verification patterns do not repeat the mistake of concatenating user input into SQL statements. Regular penetration testing focused on authentication paths and input validation will help uncover similar injection flaws before they are exploited. Staying informed through trusted sources such as CISA, vendor advisories and reputable security blogs remains essential for timely defence.