# LiteLLM SQL Injection Flaw CVE-2026-42208 Actively Exploited Within 36 Hours _Wednesday, April 29, 2026 at 4:27 AM EDT · Cybersecurity, AI · Latest · Tier 1 — Major_ ![LiteLLM SQL Injection Flaw CVE-2026-42208 Actively Exploited Within 36 Hours — Primary](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgev8o8oELGzruYVoLF6t_fn8gZnmWpTXq4Xgoq5n4Tc1H4qmyLdYJ53-8pGelRL4BrBtZqpCCsSgo_He2ItCULVwwPIgOHuN6S6zn5s9RYFASTpWxIoX8vlPmigRngBNb0ucFElbHxiz8uPWa2OkasjaBTQAG8hqeHqi_llW4WMI_gIZHjx23jm-O3ccQx/s1700-e365/lite.jpg) A critical SQL injection vulnerability in the widely used LiteLLM Python package is being actively exploited less than two days after public disclosure, according to researchers at Sysdig. The flaw, tracked as CVE-2026-42208 with a CVSS score of 9.3, resides in the BerriAI open-source AI Gateway software. LiteLLM maintainers said in an advisory that a database query used during proxy API key checks mixed caller-supplied values directly into query text rather than passing them as parameters. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route and reach the query through the proxy's error-handling path. The bug was patched in version 1.83.7-stable released on April 19, 2026. The first recorded exploitation attempt came on April 26 at 16:17 UTC, roughly 26 hours after the advisory was indexed in GitHub's Advisory Database. The activity originated from IP address 65.111.27[.]132. Sysdig's Michael Clark said the attacker targeted database tables including "litellm_credentials.credential_values" and "litellm_config," which hold upstream LLM provider keys and proxy runtime settings. No probes were seen against user or team tables. In a second phase roughly 20 minutes later, the same operator shifted to a different IP and ran a similar probe. LiteLLM has more than 45,000 GitHub stars and 7,600 forks. The project was the target of a supply chain attack by the TeamPCP group last month. Sysdig noted that a single litellm_credentials row often holds keys with five-figure monthly spend caps for providers including OpenAI, Anthropic, and AWS Bedrock, making a successful extraction comparable in impact to a cloud-account compromise. Users are advised to upgrade to version 1.83.7 or later. If patching is not immediately possible, maintainers recommend setting "disable_error_logs: true" under "general_settings" to block the error-handling path that exposes the vulnerable query. ## Sources - [The Hacker News](https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html) --- Canonical: https://techandbusiness.org/newswire/nMSxjXpD1FV0FKp4ZeLC40 Retrieved: 2026-04-29T11:31:08.561Z Publisher: Tech & Business (techandbusiness.org)