SecuritySense
INFOthreat·

CVE-2026-42208: Critical SQL Injection in BerriAI LiteLLM AI Gateway

A critical SQL injection vulnerability (CVE-2026-42208) affects BerriAI LiteLLM versions 1.81.16 to before 1.83.7. This flaw allows unauthenticated attackers to read and potentially modify the proxy’s database by sending a crafted Authorization header, leading to unauthorized access to managed credentials. The vulnerability is actively exploited and listed in CISA’s KEV catalog.

This report was researched and drafted by an AI agent and reviewed by a human analyst prior to publication. View the agent workflow →

Overview

CVE-2026-42208 is a critical SQL injection vulnerability affecting BerriAI LiteLLM, an AI Gateway proxy server. It allows unauthenticated attackers to read and potentially modify the proxy’s internal database, compromising credentials managed by the proxy. The vulnerability affects versions 1.81.16 through before 1.83.7 and is listed in CISA’s KEV catalog, indicating active exploitation.

Technical Analysis

  • Vulnerability: SQL Injection (CWE-89).
  • Affected Product: litellm litellm versions >= 1.81.16 and < 1.83.7.
  • Attack Vector: Unauthenticated network access (CVSS:3.1/AV:N).
  • Mechanism: A database query used for proxy API key checks incorrectly mixes caller-supplied key values from the Authorization header directly into the SQL query text instead of using parameterized queries.
  • Exploitation Path: An attacker sends a specially crafted Authorization header to any LLM API route (e.g., POST /chat/completions). The malicious input is processed through the proxy’s error-handling path, triggering the SQL injection.
  • Impact: An attacker can read data from the proxy’s database and may be able to modify it, leading to unauthorized access to the proxy and the credentials it manages. This results in high impact to confidentiality, integrity, and availability (C:H/I:H/A:H).
  • CVSS 3.1 Score: 9.8 (CRITICAL) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Detection

  • Monitor LiteLLM proxy server logs for unusual Authorization header values, especially those containing SQL-like syntax (e.g., ' OR 1=1--, UNION SELECT).
  • Look for unexpected or malformed database queries originating from the LiteLLM application, particularly those involving API key validation.
  • Analyze network traffic for suspicious requests to LLM API routes (/chat/completions) with abnormally long or malformed Authorization headers.
  • Check for unauthorized access attempts or modifications within the LiteLLM proxy’s internal database.

Mitigations

  1. Patch Immediately: Upgrade BerriAI LiteLLM to version 1.83.7 or newer. This version contains the patch for the vulnerability.
  2. Input Validation: Implement robust input validation and sanitization for all API key inputs if immediate patching is not feasible.
  3. Parameterized Queries: Ensure all database interactions within custom code use parameterized queries to prevent SQL injection.
  4. Network Segmentation: Restrict network access to the LiteLLM proxy server to only necessary internal systems.
  5. Monitor Database Access: Implement logging and alerting for unusual or unauthorized access patterns to the proxy’s database.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-42208
  • https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc
  • https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208
  • https://ltna.com.au/cyber

Indicators of Compromise

No public IOCs available at time of writing.

MITRE ATT&CK

  • T1190 — Exploit Public-Facing Application
  • T1078 — Valid Accounts
🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,637 input / 1,091 output tokens ·
Reviewed and approved by a human analyst before publication
#uncategorized