In a rapid exploitation scenario, a newly disclosed critical security flaw in **BerriAI**'s **LiteLLM** Python package has been actively exploited within 36 hours of public disclosure. This highlights the increasing speed at which threat actors are leveraging newly discovered vulnerabilities. ### Vulnerability Details: CVE-2026-42208 The vulnerability, tracked as **CVE-2026-42208** (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying **LiteLLM** proxy database. According to **LiteLLM** maintainers, the vulnerability stems from a database query used during proxy API key checks where the caller-supplied key value was improperly handled. "A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter," **LiteLLM** maintainers said in a security advisory. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (e.g., POST /chat/completions) and trigger the vulnerable query through the proxy's error-handling path. Successful exploitation could allow attackers to read and modify the proxy's database, leading to unauthorized access to the proxy and the credentials it manages. ### Affected Versions The vulnerability affects the following versions: * >=1.81.16 * <1.83.7 ### Rapid Exploitation While the vulnerability was patched in version 1.83.7-stable, released on April 19, 2026, the first exploitation attempt was recorded on April 26, just over a day after the GitHub advisory was indexed. According to **Sysdig**, the SQL injection activity originated from the IP address 65.111.27[.]132. Security researcher Michael Clark from **Sysdig** noted that the malicious activity consisted of two phases driven by the same operator across two adjacent egress IPs, followed by a brief unauthenticated probe of the key-management endpoints. ### Targeted Data The attacker specifically targeted database tables like "litellm_credentials.credential_values" and "litellm_config," which contain sensitive information related to upstream large language model (LLM) provider keys and the proxy runtime environment. No probes were observed against tables like "litellm_users" or "litellm_team." This suggests a focused effort to extract sensitive secrets. The second phase of the attack, observed shortly after the first, involved a similar probe from a different IP address (65.111.25[.]67). ### Supply Chain Risk **LiteLLM**, a popular open-source AI Gateway software, was also recently targeted in a supply chain attack by the **TeamPCP** hacking group, further highlighting the risks associated with AI infrastructure. **Sysdig** emphasized the potential impact, stating, "A single litellm_credentials row often holds an **OpenAI** organization key with five-figure monthly spend caps, an **Anthropic** console key with workspace admin rights, and an **AWS Bedrock** IAM credential. The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection." ### Mitigation Users are strongly advised to upgrade to the latest version (1.83.7 or later) immediately. As a temporary workaround, the maintainers recommend setting "disable_error_logs: true" under "general_settings" to mitigate the vulnerable path. ### Key Takeaways **Sysdig** concludes that the rapid exploitation of the **LiteLLM** vulnerability underscores the increasing threat landscape for AI infrastructure, with critical, pre-authentication vulnerabilities being targeted in software that manages cloud-grade credentials. The speed of exploitation highlights the need for proactive security measures and rapid patching.