Cybersecurity researchers are reporting active exploitation of a critical vulnerability in **LiteLLM**, an open-source LLM gateway. The vulnerability, identified as **CVE-2026-42208**, allows attackers to perform SQL injection attacks against the gateway. ## Vulnerability Details The flaw resides in the proxy API key verification step within **LiteLLM**. By sending a specially crafted `Authorization` header to any LLM API route, an unauthenticated attacker can exploit this vulnerability. This grants them the ability to read and modify data within the proxy's database. According to the maintainer's [security advisory](http://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc), threat actors could use this vulnerability for "unauthorised access to the proxy and the credentials it manages." ## Remediation A fix for this vulnerability was released in **LiteLLM** version 1.83.7. This update replaces string concatenation with parameterized queries, effectively mitigating the SQL injection risk. Given that **LiteLLM** stores sensitive data such as API keys, virtual and master keys, and environment/config secrets, successful exploitation could lead to significant security breaches. ## LiteLLM Overview **LiteLLM** is a widely used proxy/SDK middleware layer that provides a unified API for calling various AI models. It simplifies the management of multiple models for developers of LLM applications and platforms. The project boasts a substantial community following, with 45k stars and 7.6k forks on [GitHub](https://github.com/BerriAI/litellm). Notably, **LiteLLM** was recently targeted in a [supply-chain attack](https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/) where **TeamPCP** hackers compromised the PyPI package, deploying an infostealer to harvest credentials, tokens, and secrets from infected systems. ## Active Exploitation Researchers at **Sysdig** have reported that exploitation of **CVE-2026-42208** began approximately 36 hours after the vulnerability's public disclosure on April 24th. The observed attacks involved crafted requests sent to the `/chat/completions` endpoint, utilizing a malicious `Authorization: Bearer` header. These requests targeted specific tables containing API keys, provider credentials (e.g., **OpenAI**, **Anthropic**, **Bedrock**), environment data, and configurations. **Sysdig** noted that the attackers exhibited a clear understanding of the database structure, directly targeting tables containing sensitive information. In the second phase of the attack, the threat actor rotated IP addresses, likely for evasion purposes, and refined their SQL injection attempts based on information gleaned in the initial phase. While the exploitation timeline wasn't as rapid as the [recent flaw in Marimo](https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/), the attacks were highly targeted and specific, according to **Sysdig**. ## Recommendations Security professionals are urged to treat any exposed **LiteLLM** instances running vulnerable versions as potentially compromised. It is crucial to rotate all virtual API keys, master keys, and provider credentials stored in internet-exposed **LiteLLM** instances. For those unable to immediately upgrade to **LiteLLM** 1.83.7 or later, a workaround is available: setting `disable_error_logs: true` under `general_settings` to block the path through which malicious inputs can reach the vulnerable query.