LiteLLM CVE-2026-42208 Pre-Auth SQLi Exploited in Attacks

Executive Summary

Attackers are actively exploiting CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM gateway, according to a BleepingComputer report published April 28, 2026. The flaw, which carries a CVSS score of 9.8, allows unauthenticated remote attackers to extract sensitive data from the LiteLLM database, including API keys, model configurations, and user credentials. As of this writing, no patch has been released, and exploitation is ongoing in the wild.

Technical Analysis

LiteLLM is a widely used open-source proxy server that provides a unified interface for accessing multiple large-language model (LLM) providers (e.g., OpenAI, Anthropic, Cohere). The vulnerability resides in the proxy's database query handling — specifically, user-supplied input is not properly sanitized before being incorporated into SQL queries, enabling pre-authentication SQL injection. Because the flaw exists in a component accessible without authentication, any internet-facing LiteLLM instance is at risk.

BleepingComputer reported that attackers are leveraging the SQLi to dump the contents of the LiteLLM database, which typically stores API keys for backend LLM providers, model routing rules, user authentication data, and usage logs. With access to API keys, an adversary could make unauthorized calls to LLM providers at the victim's expense, potentially exfiltrating model outputs or incurring significant financial costs. The stolen credentials could also enable lateral movement if the same keys are reused across other services.

The vulnerability was disclosed by security researchers who identified the issue in the LiteLLM codebase. The exact attack vector involves crafting a malicious HTTP request to the vulnerable endpoint, bypassing authentication entirely. The exploit does not require any prior access or special privileges.

Mitigations & Recommendations

Until a patch is available, defenders should take immediate steps to reduce exposure. The most effective mitigation is to ensure that LiteLLM instances are not exposed to the public internet. Organizations should place the proxy behind a VPN or a firewall with strict access control lists, allowing only trusted internal IP ranges. Additionally, web application firewalls (WAFs) can be configured with rules to block common SQL injection payloads, though this is a partial defense that may not catch all variants.

Administrators should monitor LiteLLM database logs for unusual queries or unauthorized access attempts. Any signs of compromise — such as unexpected API calls to LLM providers or altered database entries — should trigger immediate credential rotation for all stored API keys and user accounts. If possible, consider temporarily disabling the LiteLLM service until a security update is released. The LiteLLM project maintainers have been notified and are expected to release a patched version; organizations should subscribe to the project's security advisory feed for updates.