LiteLLM Exploited 36 Hours After Disclosure: Pre-Auth SQL Injection Targets AI Credentials
CVE-2026-42208 in BerriAI LiteLLM was actively exploited just 36 hours after its public disclosure. The attack targeted high-value LLM API keys, posing a sever…
On April 26, 2026, at 04:24 UTC, threat actors began actively exploiting CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in BerriAI LiteLLM. The first attack occurred just 36 hours and 7 minutes after the advisory was publicly indexed in the GitHub Advisory Database on April 24 at 16:17 UTC.
The campaign specifically targeted the extraction of high-value LLM API keys. By leveraging the publicly available database schema of the open-source project, attackers were able to craft an exploit without the need for a published Proof of Concept (PoC). This rapid turnaround underscores a critical risk for organizations managing AI infrastructure exposed to public networks.
- CVE-2026-42208 (CVSS 9.3) affects LiteLLM versions 1.81.16 through 1.83.6, allowing pre-authentication SQL injection via the Authorization header.
- The first exploitation attempt was recorded on April 26, 2026, at 04:24 UTC—36 hours and 7 minutes post-disclosure.
- Attackers deployed 17 UNION SELECT payloads targeting three specific database tables, demonstrating advanced knowledge of the underlying Prisma framework schema.
- While no confirmed data exfiltration or follow-through was observed in this instance, the vulnerability potentially exposes OpenAI and Anthropic organizational keys, alongside AWS Bedrock IAM credentials.
Vulnerability Mechanics: CVE-2026-42208
The vulnerability, rated with a CVSS score of 9.3, exists within the gateway's authentication flow, which is designed to validate and manage access to AI services. User input within the Authorization header is concatenated directly into a SQL query for API key verification, bypassing necessary parameterization or input sanitization.
This architectural flaw enables a pre-authentication UNION-based SQL injection attack. When the application processes an invalid API key, the execution path triggers an error handling routine that runs the poisoned query directly against the underlying PostgreSQL database, exposing sensitive data.
Because the flaw does not require valid credentials to trigger, any internet-exposed instance is susceptible to unauthenticated database exploration. The lack of proper input handling makes this a critical defect for cloud infrastructures that expose the gateway without adequate network restrictions.
Attackers can exploit this bypass to extract entire tables or manipulate stored data. The failure to use prepared statements within the error path represents a significant security oversight in a component responsible for managing high-value secrets, such as AI model access keys.
Exploitation Timeline and Dynamics
The original advisory was indexed in the GitHub Advisory Database on April 24, 2026, at 16:17 UTC. Analysts at Sysdig detected the first wave of malicious traffic originating from IPs 65.111.27.132 and 65.111.25.67 exactly 36 hours and 7 minutes later, on April 26 at 04:24 UTC.
The threat actors did not wait for automated tools or public exploit scripts to be released. The transparency of the open-source ecosystem provided the necessary roadmap to construct effective queries. As the Sysdig research team noted: "The advisory and the open-source schema were ultimately enough."
The attack was not a generic mass scan. Instead, the operator conducted a surgical enumeration of column counts, sending 17 UNION SELECT payloads against three specific tables hosting LLM keys and system configurations.
This precision reveals a prior understanding of the Prisma framework used by LiteLLM for its ORM. The attacker's objective was clearly to map high-value secrets, isolating critical data rows while ignoring system tables irrelevant to credential access.
"The novelty of this finding is the speed and precision of the schema-enumeration attempt, not a confirmed compromise." - Sysdig Threat Research Team
Cloud Infrastructure Impact
An AI gateway like LiteLLM acts as a central repository for high-value cloud credentials. The risk associated with this vulnerability far exceeds that of a typical web application SQL injection, as a single database can centralize access to multiple AI service providers.
A single compromised row in the `litellm_credentials` table can grant an attacker a high level of access. This may include OpenAI organizational keys, Anthropic console keys, and AWS Bedrock IAM credentials. The spending limits associated with these keys can easily reach five figures per month.
Database extraction in this context translates directly to a compromise of the underlying cloud account. An attacker could use stolen keys to generate content, access proprietary models, or escalate the attack toward other AWS resources by leveraging exposed IAM credentials.
As Sysdig highlighted: "The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection." Although no data exfiltration was confirmed in the initial logs, the conditions for total compromise were fully met.
While no virtual key generation or credential reuse was detected, the residual risk for unpatched instances remains critical. The centralization of API keys significantly amplifies the attack surface of the entire corporate cloud ecosystem.
Mitigation and Incident Response
- Immediately update all BerriAI LiteLLM instances to version 1.83.7, which addresses the vulnerability and was released on April 19, 2026. Systems running versions 1.81.16 through 1.83.6 are vulnerable and must be isolated if they cannot be updated immediately.
- Inspect PostgreSQL and gateway logs for the 17 specific UNION SELECT payloads or any anomalous queries against credential tables dating back to April 26, 2026. Verify if any traffic originated from IPs 65.111.27.132 and 65.111.25.67.
- Urgetly rotate and regenerate all LLM API keys (OpenAI, Anthropic, AWS Bedrock) managed by the gateway, even if there is no confirmed evidence of exfiltration, and revoke all previous credentials.
- Strictly limit network access to gateway management interfaces, preventing direct exposure to the public internet, and monitor outbound traffic for any communication with IPs associated with the targeted enumeration documented by Sysdig.
The LiteLLM incident highlights a critical shift in AI infrastructure security: the convergence of public disclosure, open-source documentation, and attack windows that have shrunk to just a few dozen hours. Organizations can no longer manage these vulnerabilities through traditional update cycles.
When internal schema knowledge becomes public, targeted attacks become immediate. Delaying updates exposes infrastructure to severe corporate cloud account compromises. Response speed is now the determining factor in the security of AI management platforms.
FAQ
- What is CVE-2026-42208? A critical pre-authentication SQL injection vulnerability (CVSS 9.3) in BerriAI LiteLLM that allows unauthenticated attackers to execute arbitrary queries on the PostgreSQL database via the Authorization header.
- Which versions of LiteLLM are affected? Versions 1.81.16 through 1.83.6 are vulnerable. Version 1.83.7, released on April 19, 2026, contains the fix.
- Was there a confirmed data breach? No. Analysts observed targeted schema enumeration, but no data exfiltration, virtual key generation, or credential reuse by the attacker was confirmed.
Information has been verified against cited sources and is accurate as of the date of publication.
Sources
- https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html
- https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure
- https://securityaffairs.com/191483/hacking/cve-2026-42208-litellm-bug-exploited-36-hours-after-its-disclosure.html