A critical pre-authentication SQL injection vulnerability in LiteLLM, a widely used open-source AI gateway with over 22,000 GitHub stars, is actively being exploited in the wild.
Tracked as CVE-2026-42208, this severe flaw allows unauthorized attackers to extract highly sensitive cloud and AI provider credentials directly from the platform’s PostgreSQL database.
LiteLLM acts as a central proxy for major language models like OpenAI, Anthropic, and AWS Bedrock.
Because it manages AI routing and billing, the application stores high-value secrets, including master API keys and enterprise cloud credentials.
Rapid Exploitation and Targeted Data Theft
The blast radius of a successful breach is closer to that of a massive cloud account compromise than to that of a typical web application attack.
The vulnerability exists within the proxy’s verification process. Specifically, LiteLLM fails to protect the Authorization Bearer header securely.
By inserting a single quote into a fake token like sk-litellm’, an attacker can break out of the intended query and run malicious database commands before authentication even takes place.
Any HTTP client that can reach the proxy port can execute the exploit.
The Sysdig Threat Research Team detected the first exploitation attempt just 36 hours and seven minutes after the vulnerability was indexed in the global GitHub Advisory Database on April 24, 2026.
Rather than using noisy, automated vulnerability scanners, the attackers demonstrated advanced knowledge of LiteLLM’s internal structure.
The threat actors launched targeted attacks against three tables: LiteLLM_VerificationToken, litellm_credentials, and litellm_config.
These tables store the system’s most critical data, including virtual API keys, stored provider credentials, and environment configurations.
The operators even adapted their payloads to match the exact case of the database schema.
This highly targeted activity originated from two IP addresses (65.111.27.132 and 65.111.25.67) within the same autonomous system, indicating a coordinated, deliberate data-extraction effort.
Immediate Patching and Credential Rotation
The maintainers of LiteLLM have released version 1.83.7, which resolves the vulnerability by properly securing the database queries.
Organizations running any affected version (from 1.81.16 through 1.83.6) must apply this critical update immediately.
Because this attack requires no login and can be executed against any exposed instance, administrators should assume that vulnerable, internet-facing servers have already been compromised.
Security teams must instantly rotate all virtual API keys, master keys, and stored provider credentials.
Furthermore, companies should actively monitor their upstream cloud billing accounts for unexpected API calls or unauthorized AI token consumption.
Defenders should also audit web server logs for suspicious requests containing SQL keywords or the sk-litellm’ payload.
As AI gateways become major repositories for expensive cloud credentials, they must be treated as top-tier security targets.
Securing these proxy environments behind internal networks and maintaining strict patch management are essential steps to prevent devastating corporate credential theft.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild appeared first on Cyber Security News.
