External risk intelligence

LiteLLM proxy can be tricked into revealing and changing database info.

CVE advisoryKnown Exploit

CVE-2026-42208

A security flaw in LiteLLM, an AI gateway, lets attackers read or change sensitive database information, potentially exposing credentials. This issue is actively exploited and requires urgent attention.

4Halo Surface Signal

SQL Injection

Litellm

1.81.16 to before 1.83.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-42208

LiteLLM functions as an AI gateway proxy designed to manage API traffic. The vulnerability exists within standard API routes used for authentication. These services are commonly deployed as web-facing APIs or edge services, making the exposed endpoints accessible to network callers, consistent with a likely public-facing deployment pattern.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in LiteLLM, an AI gateway, allows an unauthenticated attacker to read or modify data in the proxy's database. This could lead to unauthorized access to sensitive credentials managed by the proxy.

  • Attacker can access sensitive credentials.
  • Affects systems using LiteLLM as a proxy.
  • Requires no special access to exploit.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a malicious Authorization header to the LiteLLM proxy's API endpoints. This crafted header triggers an error-handling path, leading to a SQL injection that can expose or modify sensitive data within the proxy's database. This grants unauthorized access to the proxy and any managed credentials.

  • No authentication required.
  • Target API routes with Authorization header.
  • Exploits error handling for SQL injection.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in LiteLLM is attractive to attackers because it allows them to directly query the proxy's database, potentially exposing sensitive credentials and internal data. The vulnerability is present in a core function of the proxy, making it broadly impactful if exploited.

  • Listed on KEV.
  • Public exploit likely.
  • Exploited in the wild.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating LiteLLM to version 1.83.7 to address the critical SQL injection vulnerability. If immediate patching is not feasible, isolate affected services to prevent exploitation of the database access vulnerability.

  • Update LiteLLM to 1.83.7.
  • Isolate affected services.
  • Monitor for suspicious database access.

Frequently asked questions

What is LiteLLM and its function as an AI Gateway?

LiteLLM serves as an AI Gateway, functioning as a proxy server. It enables users to interact with various Large Language Model (LLM) APIs, like those from OpenAI, through a unified, OpenAI-like format. This standardization simplifies the process of calling different LLM services by offering a consistent interface.

What type of security weakness does CVE-2026-42208 represent?

CVE-2026-42208 is identified as a SQL injection vulnerability (CWE-89). This weakness allows an attacker to manipulate database queries by injecting malicious SQL code. Such manipulation could permit unauthorized reading or modification of data stored within the LiteLLM proxy's database.

How can an unauthenticated attacker exploit the LiteLLM vulnerability?

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted Authorization header to any LLM API route, such as POST /chat/completions. This crafted header triggers the proxy's error-handling path, leading to a SQL injection that can compromise the proxy's database, potentially exposing or altering its data and managed credentials.

What is the significance of CVE-2026-42208 for deployed systems?

The SQL injection vulnerability in LiteLLM (CVE-2026-42208) is critical as it allows unauthenticated network-based attacks. Attackers can exploit this to gain unauthorized access to sensitive credentials managed by the proxy, posing a significant risk to the integrity and confidentiality of data. The vulnerability is considered 'Likely' to be exposed externally due to the nature of API gateway services.

What steps should be taken to mitigate the LiteLLM vulnerability?

To address this vulnerability, it is crucial to update LiteLLM to version 1.83.7 or later, as this version contains the necessary patch. If immediate patching is not possible, consider isolating the affected LiteLLM services to limit potential exploitation and continuously monitor for any suspicious database access activities.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished