Critical Vulnerability Discovered in LiteLLM Python Package, Exploitation Initiated Within 36 Hours
In a recent cybersecurity incident, a serious vulnerability has been identified in the LiteLLM Python package developed by BerriAI. This flaw, cataloged as CVE-2026-42208, has been linked to an SQL injection issue that can allow malicious actors to manipulate the underlying LiteLLM proxy database. Alarmingly, exploitation of this vulnerability was recorded less than two days after it became publicly known, indicating a fast-paced response from threat actors.
The disclosure of this vulnerability highlighted that the issue arose from the mishandling of a database query during proxy API key validations. Specifically, the API endpoint incorrectly incorporated the caller-supplied key into the query rather than treating it as a separate parameter. This design flaw potentially grants unauthorized access to the database, enabling attackers to read and modify sensitive information, including proxy credentials managed within LiteLLM.
LiteLLM, an open-source AI Gateway software, boasts significant usage, with over 45,000 stars and 7,600 forks on GitHub. The recent vulnerability affects versions greater than or equal to 1.81.16 but less than 1.83.7. The maintainers promptly addressed the issue in version 1.83.7-stable, released on April 19, 2026. However, the first known exploit attempt occurred just hours later, revealing an alarming window of opportunity for attackers.
Investigations indicate that the exploitation originated from a specific IP address and consisted of two distinct phases of malicious activity driven by the same entity. The attacker exploited database tables such as “litellm_credentials.credential_values” and “litellm_config,” which contain critical information regarding service provider keys and runtime configurations. The fact that the attacker focused on these sensitive tables suggests a high level of awareness of LiteLLM’s architecture.
An additional point of concern is the nature of data at risk. As noted by security analysts, the types of credentials stored within LiteLLM can represent significant financial and operational implications, including API keys with high spending thresholds. Consequently, a successful compromise of this database could lead to broader vulnerabilities, extending beyond a conventional SQL injection incident.
Business owners and IT administrators using LiteLLM are strongly encouraged to upgrade to the latest version of the software to eliminate exposure to this vulnerability. If immediate updates are not feasible, it is recommended to implement an interim configuration change—specifically disabling error logs to restrict unauthorized input from reaching the vulnerable query path.
The rapid timeline of the exploit offers insights into adversary tactics likely employed in this incident. Utilizing the MITRE ATT&CK framework, tactics such as initial access through untrusted input manipulation and privilege escalation via sensitive data access can be inferred. These approaches reflect broader trends of increasing sophistication among cybercriminals who capitalize on lax security measures in popular software.
On May 8, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2026-42208 in its list of Known Exploited Vulnerabilities, mandating affected Federal agencies to implement patches by May 11, 2026. This classification underlines the urgency and seriousness of the vulnerability, reinforcing the need for vigilance and proactive measures within the cybersecurity landscape.
As the cyber threat environment continues to evolve, the incident with LiteLLM serves as a salient reminder of the challenges faced by organizations relying on open-source software. It highlights the critical need for ongoing security assessments and timely updates to safeguard sensitive information from potential breaches.