EXECUTIVE SUMMARY:
A vulnerability tracked as CVE-2026-42208 has been identified in LiteLLM, an open-source AI gateway widely used to manage and proxy requests to multiple large language model providers. The flaw affects the authentication verification workflow and allows unauthenticated attackers to inject malicious SQL queries via crafted requests. Due to its pre-authentication nature, the vulnerability can be exploited remotely without valid credentials, potentially exposing highly sensitive backend data stored within the LiteLLM system.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A vulnerability tracked as CVE-2026-42208 has been identified in LiteLLM, an open-source AI gateway widely used to manage and proxy requests to multiple large language model providers. The flaw affects the authentication verification workflow and allows unauthenticated attackers to inject malicious SQL queries via crafted requests. Due to its pre-authentication nature, the vulnerability can be exploited remotely without valid credentials, potentially exposing highly sensitive backend data stored within the LiteLLM system.[emaillocker id="1283"]
The vulnerability stems from improper handling of user-supplied input within SQL queries used to validate bearer tokens. Instead of using parameterized queries, the system directly incorporates the Authorization header value into database statements, allowing attackers to break out of the intended query structure and inject arbitrary SQL commands. Exploitation attempts observed in the wild demonstrate systematic schema enumeration, targeting high-value database tables that store virtual API keys, provider credentials, and sensitive configuration data. Attackers used UNION-based payloads to extract data, iteratively determining database structure and escalating queries to access secrets such as authentication tokens and environment variables. In some cases, automated behavior indicators such as repeated payload variations and IP rotation suggest the use of scripted exploitation tools designed to maximize data exfiltration opportunities.
It represents a vulnerability due to its pre-authentication exposure and the sensitive nature of data managed by LiteLLM deployments. Successful exploitation could lead to full compromise of AI provider credentials and downstream cloud services integrated through the gateway. Organizations using affected versions are strongly advised to upgrade to the patched release and rotate all stored API keys and credentials. Additionally, monitoring for suspicious authorization header patterns and implementing strict input validation at proxy layers are essential to mitigating active exploitation risks.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| T1003.001 | OS Credential Dumping | LSASS Memory | |
| Discovery | T1087.001 | Account Discovery | Local Account |
| Collection | T1213.002 | Data from Information Repositories | Sharepoint |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1499.004 | Endpoint Denial of Service | Application or System Exploitation |
REFERENCES:
The following reports contain further technical details:
https://securityaffairs.com/191964/security/u-s-cisa-adds-a-flaw-in-berriai-litellm-to-its-known-exploited-vulnerabilities-catalog.html
https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure