Critical Pre‑Auth SQLi in LiteLLM (CVE‑2026‑42208) Exposes LLM API Keys and Secrets

Critical Pre‑Auth SQLi in LiteLLM (CVE‑2026‑42208) Exposes LLM API Keys and Secrets

What It Is – A pre‑authentication SQL injection flaw (CVE‑2026‑42208) in the open‑source LiteLLM gateway allows an attacker to send a malicious Authorization header and execute arbitrary SQL against the proxy’s database. The bug resides in the API‑key verification step and was patched in version 1.83.7.

Exploitability – Active exploitation was observed within 36 hours of public disclosure. Researchers recorded targeted requests that harvested stored API keys, provider credentials, and environment secrets. CVSS v3.1 is estimated at 9.8 Critical.

Affected Products – LiteLLM (all versions < 1.83.7), an open‑source LLM proxy/SDK used by developers and SaaS platforms to unify access to OpenAI, Anthropic, Bedrock, and other models.

TPRM Impact –

• Third‑party applications that embed LiteLLM inherit the same credential store, creating a supply‑chain risk.
• Compromise of an exposed LiteLLM instance can reveal API keys that grant unrestricted access to downstream AI services, potentially leaking proprietary data or enabling further attacks on client environments.

Recommended Actions –

• Immediately upgrade all LiteLLM deployments to ≥ 1.83.7.
• Rotate every API, virtual, and master key stored in the proxy, as well as any provider credentials.
• Conduct a forensic review of logs for unauthorized Authorization header usage and anomalous SQL queries.
• Restrict internet exposure of LiteLLM endpoints; enforce network segmentation and zero‑trust controls.
• Review recent supply‑chain alerts (e.g., malicious PyPI packages) and verify integrity of all dependent Python packages.

Source: BleepingComputer