CVE-2026-42208
Published: 08 May 2026
Summary
CVE-2026-42208 is a critical-severity SQL Injection (CWE-89) vulnerability in Litellm Litellm. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
LiteLLM is an AI gateway proxy that routes calls to LLM provider APIs using an OpenAI-compatible interface. CVE-2026-42208 is a SQL injection vulnerability (CWE-89) present in versions 1.81.16 through 1.83.6. During proxy API-key validation, the code interpolated an attacker-supplied value directly into a database query string instead of using a parameterized statement; the flawed query could be reached on any LLM endpoint through the proxy’s error-handling path.
An unauthenticated remote attacker can exploit the flaw by sending a crafted Authorization header to routes such as POST /chat/completions. Successful exploitation allows arbitrary read and write access to the proxy’s database, enabling theft or modification of stored API keys and other credentials and thereby granting unauthorized control of the LiteLLM instance and the downstream LLM providers it manages.
The vulnerability is fixed in release 1.83.7. The project’s GitHub advisory and release notes recommend immediate upgrade; the issue is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score stands at 0.6259 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28503
Vulnerability details
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query…
more
text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
- CWE(s)
- KEV Date Added
- 08 May 2026
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm, openai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in public-facing LiteLLM proxy API routes enables exploitation of a public-facing application to read/modify backend data and obtain credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs (Authorization header) before they are concatenated into database queries, blocking the SQL injection at its source.
Mandates timely identification and remediation of known vulnerabilities such as this SQLi flaw, directly addressed by upgrading LiteLLM to the patched 1.83.7 release.
Limits the privileges of the database account used by the proxy so that even a successful injection cannot arbitrarily read or modify API keys and credentials.