Security researchers have confirmed active exploitation of a critical SQL injection vulnerability in the LiteLLM proxy. This is an open‑source AI gateway widely used to centralize and manage API access to large language model (LLM) providers such as OpenAI, Anthropic, and Google. Read this Cybersecurity Threat Advisory now to mitigate you and your clients’ risk.
What is the threat?
CVE‑2026‑42208 is a pre‑authentication SQL injection vulnerability within the LiteLLM proxy’s API key verification logic. In affected versions, malformed Authorization Bearer tokens were improperly handled, allowing attacker‑supplied input to be passed directly into database queries without proper parameterization.
An unauthenticated attacker with network access to a LiteLLM proxy endpoint could exploit this issue by sending crafted HTTP requests to LLM API routes, potentially enabling:
- Arbitrary SQL query execution against the LiteLLM database
- Unauthorized access to stored LLM provider API keys
- Inspection or modification of proxy configuration and credential tables
The vulnerability affects LiteLLM versions 1.81.16 through 1.83.7. The issue was addressed in version 1.83.7, with the vendor recommending 1.83.10‑stable as the preferred release.
Why is it noteworthy?
This campaign is notable for several reasons:
- Threat actors began exploiting the vulnerability within hours of disclosure, underscoring how quickly exposed AI infrastructure is identified and targeted.
- LiteLLM functions as a centralized credential broker, often storing multiple upstream API keys with high usage or billing limits. A single compromise could expose credentials across several AI providers.
- Exploitation does not require valid authentication, significantly lowering the barrier for attack against exposed instances.
- AI gateways and orchestration layers are increasingly attractive targets as organizations consolidate access to AI services behind shared proxies.
What is the exposure or risk?
Organizations face elevated risk if they:
- Operate self‑hosted LiteLLM proxy instances running affected versions
- Expose LiteLLM API endpoints to untrusted or internet‑accessible networks
- Store production LLM provider API keys within the LiteLLM database
- Lack monitoring for unusual API requests or database activity targeting AI infrastructure
Potential impact includes credential theft, unauthorized AI usage, unexpected financial charges, and secondary compromise of downstream systems that rely on exposed API keys.
What are the recommendations?
Barracuda recommends the following steps to reduce risk:
- Immediately upgrade LiteLLM to version 1.83.7 or later, with 1.83.10‑stable preferred
- Restrict network exposure of LiteLLM proxies, limiting access to trusted IP ranges or internal networks
- Rotate all LLM provider API keys stored in affected proxy instances, particularly if exposure occurred prior to patching
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html?m=1
- https://www.securityweek.com/fresh-litellm-vulnerability-exploited-shortly-after-disclosure/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
