CVE-2026-42208: LiteLLM SQL Injection Leaks Upstream API Keys

A pre-authentication SQL injection in LiteLLM — the open-source proxy that lets developers route calls to OpenAI, Anthropic, Gemini, Groq, and 100+ other LLM providers through a single unified API — was exploited in the wild 36 hours after the GitHub advisory was published. CVE-2026-42208 carries a CVSS score of 9.3 (Critical). The data it exposes: the credential table storing every upstream provider API key your LiteLLM instance holds. That means OpenAI API keys, Anthropic API keys, Gemini credentials, and any other provider tokens with potentially five-figure monthly spend caps attached.

LiteLLM has more than 45,000 GitHub stars and 7,600 forks. If you run a self-hosted LiteLLM proxy — for a team, a startup, or a production AI application — patch to version 1.83.7-stable immediately.

What LiteLLM Is and Why This Matters

LiteLLM is the most widely deployed open-source AI gateway. Its core function: you configure it once with all your LLM provider API keys, point your application at your LiteLLM endpoint, and from that point on your application calls a single OpenAI-compatible API regardless of which underlying model you use. Switch from GPT-5 to Claude Opus to Llama without changing application code.

This architecture is extremely useful and increasingly common in production deployments. It is also why this vulnerability is severe: your LiteLLM instance is the single point holding all your upstream provider credentials. Compromise the proxy, and you get every API key it manages — not just one.

Organizations running LiteLLM typically configure it with API keys for:

• OpenAI (access to GPT-5.5, GPT-5, embeddings)
• Anthropic (Claude Opus 4.7, Claude Sonnet)
• Google (Gemini 3.1 Ultra, Gemini Flash)
• Groq, Together AI, Fireworks (open-source model hosting)
• Azure OpenAI Service credentials
• Any custom or internal model endpoints

Each of these keys may have monthly spend limits in the thousands to hundreds of thousands of dollars. A stolen key is not just a credential — it is financial access to billing at scale.

The Vulnerability: Pre-Auth SQL Injection

CVE-2026-42208 is a SQL injection flaw in LiteLLM's authentication path. The specific entry point: any LLM API route (such as POST /chat/completions, POST /embeddings, POST /completions) that processes an Authorization Bearer token.

The flaw is in LiteLLM's error handling for malformed Bearer tokens. When an invalid or crafted Bearer value is submitted, the error-handling code path passes the raw token value directly into a SQL query without parameterization. A standard SQL injection payload in the Bearer header value triggers the flaw.

The attack does not require an existing account or any prior authentication — hence "pre-auth." Any network-accessible LiteLLM instance (including instances exposed to the internet for team or partner access) is vulnerable.

What the injection can reach:

The primary target tables are:

• litellm_credentials — specifically the credential_values column, which stores upstream provider API keys in an encrypted-at-rest format. However, the encryption key is also stored in the LiteLLM configuration, meaning an attacker who reads the config table can decrypt the credentials.
• litellm_config — runtime configuration including the master API key, database connection strings, and environment variable overrides.

In a complete exploit chain: read litellm_config to get the encryption key, read litellm_credentials.credential_values to get encrypted upstream keys, decrypt. This gives you all provider credentials the LiteLLM instance manages.

Exploitation Timeline

The timeline from disclosure to active exploitation is the most alarming detail:

• April 19, 2026: LiteLLM releases version 1.83.7-stable with the fix. GitHub security advisory published simultaneously.
• April 20, 2026, 16:17 UTC: First exploit attempt logged against a honeypot instance. 26 hours after advisory publication.
• Source IP: 65.111.27.132 (attributed to automated vulnerability scanner picking up the GitHub advisory)
• April 26, 2026: Sysdig threat research confirms active exploitation against production instances, not just honeypots. Attacker tooling is automated — scanning for LiteLLM instances by detecting the /health endpoint and probing for the SQL injection.

The 36-hour window from disclosure to confirmed wild exploitation is in line with recent patterns for critical pre-auth vulnerabilities in widely deployed developer infrastructure. There is no "give it a few days" window here.

Affected Versions

Vulnerable: LiteLLM versions 1.81.16 through 1.83.6 (inclusive).

Patched: Version 1.83.7-stable, released April 19, 2026.

To check your current version: pip show litellm or check your Docker image tag.

To upgrade: pip install --upgrade litellm or update your Docker image to litellm/litellm:1.83.7-stable.

Scope clarification: The vulnerability affects the LiteLLM proxy server component, not the Python client library used to call the proxy. If you use LiteLLM purely as a Python library (import litellm; litellm.completion(...)) without running the proxy server, you are not directly vulnerable to this CVE — though you should still upgrade because 1.83.7 contains other security fixes.

Mitigation If You Cannot Patch Immediately

If an immediate upgrade is not possible:

Option 1 — Disable error logs: Set disable_error_logs: true under general_settings in your LiteLLM config file. This suppresses the error handler path that contains the injection flaw. It is a partial mitigation, not a full fix.

Option 2 — Network isolation: If your LiteLLM proxy is not required to be internet-accessible, immediately restrict it to internal network access only. The attack requires reaching the LLM API endpoints — no network access, no attack.

Option 3 — WAF rule: Add a Web Application Firewall rule blocking requests where the Authorization header contains SQL metacharacters (single quotes, semicolons, union, select keywords). This is fragile and version-specific, but buys time.

None of these are substitutes for upgrading to 1.83.7-stable.

Developer Action Checklist

If you run LiteLLM proxy:

1. Check your version immediately: pip show litellm
2. Upgrade to 1.83.7-stable: pip install --upgrade litellm (or update Docker image)
3. Rotate all upstream API keys stored in your LiteLLM instance — OpenAI, Anthropic, Google, all of them. The patch prevents future exploitation; key rotation addresses potential past compromise.
4. Check your LiteLLM access logs for requests to /chat/completions, /embeddings, or /completions with unusual Authorization header values during April 20–29, 2026.
5. If you store LiteLLM credentials in a database, check for unauthorized access to the litellm_credentials table during the exposure window.
6. Implement network-level access controls: LiteLLM proxy should not be publicly accessible unless required. Use internal DNS or VPN-only access patterns.

If you use a third-party service built on LiteLLM:

Contact your service provider and ask whether their LiteLLM version is patched to 1.83.7-stable. Any managed AI gateway running vulnerable LiteLLM versions is a shared risk across all their customers.

The Broader Pattern: AI Gateway Security

LiteLLM is not the first AI gateway to have a critical security vulnerability. The pattern is structural: AI gateways sit at a privileged position in the infrastructure — they hold credentials for every LLM provider, log every prompt and completion, and are accessed by production applications. They are high-value targets.

The attack surface of an AI gateway includes:

• Credential storage (this CVE)
• Prompt injection via logged content
• Model routing manipulation
• Rate limit bypass for competitor credential use
• Audit log tampering

If you operate AI infrastructure at production scale, treating your LLM gateway with the same security posture as your secrets manager (HashiCorp Vault, AWS Secrets Manager) is not optional. Credential rotation schedules, network isolation, access logging, and zero-trust access patterns all apply.

Key Takeaways

• CVE-2026-42208 (CVSS 9.3): pre-auth SQL injection in LiteLLM proxy versions 1.81.16–1.83.6; targets credential_values and litellm_config tables; gives attacker all upstream LLM provider API keys
• Exploited 36 hours after disclosure: active exploitation confirmed by April 21; now automated scanning is targeting production instances — this is not a theoretical risk
• Patch immediately: upgrade to litellm 1.83.7-stable or update Docker image to litellm/litellm:1.83.7-stable
• Rotate all API keys: assume any LiteLLM instance that was running vulnerable versions had its credentials accessed; rotate OpenAI, Anthropic, Google, and all other stored provider keys
• Partial mitigation: disable_error_logs: true in config if immediate upgrade is blocked; also restrict network access to internal-only
• AI gateways are high-value targets: treat LiteLLM and similar proxies with the same security posture as a secrets manager — credential rotation, network isolation, access logging, zero-trust access

For the APT28 router attack that also targeted developer credentials, read APT28 Hijacked 18,000 Routers to Steal Microsoft OAuth Tokens. For the Windows Defender zero-days requiring parallel patching, read CVE-2026-33825 BlueHammer: Defender Zero-Day Grants SYSTEM. For the Bitwarden supply chain attack pattern, read Bitwarden CLI npm Supply Chain Attack.