Cyber Resilience

CVE-2026-42208

CriticalCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
29 June 2026
KEV Added
08 May 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8452 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-42208 is a critical-severity SQL Injection (CWE-89) vulnerability in Litellm Litellm. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

LiteLLM is an AI gateway proxy that routes calls to LLM provider APIs using an OpenAI-compatible interface. CVE-2026-42208 is a SQL injection vulnerability (CWE-89) present in versions 1.81.16 through 1.83.6. During proxy API-key validation, the code interpolated an attacker-supplied value directly into a database query string instead of using a parameterized statement; the flawed query could be reached on any LLM endpoint through the proxy’s error-handling path.

An unauthenticated remote attacker can exploit the flaw by sending a crafted Authorization header to routes such as POST /chat/completions. Successful exploitation allows arbitrary read and write access to the proxy’s database, enabling theft or modification of stored API keys and other credentials and thereby granting unauthorized control of the LiteLLM instance and the downstream LLM providers it manages.

The vulnerability is fixed in release 1.83.7. The project’s GitHub advisory and release notes recommend immediate upgrade; the issue is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score stands at 0.6259 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query…

more

text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

CWE(s)
KEV Date Added
08 May 2026

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llm, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated SQL injection in public-facing LiteLLM proxy API routes enables exploitation of a public-facing application to read/modify backend data and obtain credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42271Same product: Litellm Litellmboth on KEV
CVE-2026-40217Same product: Litellm Litellm
CVE-2026-35030Same product: Litellm Litellm
CVE-2026-35029Same product: Litellm Litellm
CVE-2026-47101Same product: Litellm Litellm
CVE-2026-47102Same product: Litellm Litellm
CVE-2024-9606Same product: Litellm Litellm
CVE-2026-9082Shared CWE-89both on KEV
CVE-2026-21643Shared CWE-89both on KEV
CVE-2025-25181Shared CWE-89both on KEV

Affected Assets

litellm
litellm
1.81.16 — 1.83.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs (Authorization header) before they are concatenated into database queries, blocking the SQL injection at its source.

prevent

Mandates timely identification and remediation of known vulnerabilities such as this SQLi flaw, directly addressed by upgrading LiteLLM to the patched 1.83.7 release.

prevent

Limits the privileges of the database account used by the proxy so that even a successful injection cannot arbitrarily read or modify API keys and credentials.

References