Critical SQL Injection in BerriAI LiteLLM (CVE‑2026‑42208) Enables Unauthenticated Database Access
What It Is – A critical SQL‑injection flaw (CVE‑2026‑42208) in the BerriAI LiteLLM Python package allows an unauthenticated attacker to inject malicious payloads via the Authorization header of any LLM API route. The vulnerability resides in the proxy API‑key verification logic, where the supplied key is concatenated directly into a SQL query.
Exploitability – Actively exploited in the wild within 36 hours of public disclosure. Proof‑of‑concept attacks have been observed targeting the proxy’s credential store. CVSS v3.1 score 9.3 (Critical).
Affected Products – BerriAI LiteLLM versions 1.81.16 through 1.83.6. The issue was patched in version 1.83.7 (released 19 April 2026).
TPRM Impact – Any third‑party that integrates LiteLLM—whether as a SaaS LLM gateway, an internal AI‑service platform, or a downstream API provider—faces immediate risk of credential theft, unauthorized data manipulation, and potential lateral movement into connected systems. Supply‑chain exposure is heightened for enterprises that rely on managed LLM services built on LiteLLM.
Recommended Actions –
- Patch Immediately – Upgrade to LiteLLM ≥ 1.83.7 across all environments.
- Inventory – Identify all applications, services, and third‑party vendors that embed LiteLLM; verify version compliance.
- Validate Input – Review custom proxy implementations for proper parameterised queries; enforce prepared statements.
- Monitor – Deploy WAF/IDS rules to detect anomalous
Authorizationheaders and SQL‑injection patterns on LLM endpoints. - Credential Rotation – Regenerate API keys and provider credentials stored in the affected proxy database.
Source: Security Affairs