LiteLLM Critical SQL Injection Vulnerability Exploited Within 36 Hours of Disclosure

For the growing community of AI developers and DevOps engineers in Morocco, the "AI Gateway" has become a central component of modern infrastructure. However, a recent incident involving LiteLLM—a popular tool for unifying various Large Language Model (LLM) APIs—serves as a stark reminder of the security risks inherent in centralizing sensitive credentials.

TL;DR

A critical SQL injection vulnerability (CVE-2026-42208) in the LiteLLM Python package was exploited in the wild within 36 hours of its disclosure. Attackers targeted sensitive tables containing API keys for providers like OpenAI and AWS Bedrock. If you are using LiteLLM, you must update to version 1.83.7-stable immediately or apply the recommended configuration workaround to prevent unauthorized database access.

The Vulnerability: CVE-2026-42208

The flaw, tracked as CVE-2026-42208, carries a critical CVSS score of 9.3. It is a classic SQL Injection, a type of vulnerability where an attacker "injects" malicious database commands into a query that the application then executes.

According to LiteLLM maintainers, the issue resided in how the proxy checked API keys. Instead of using "parameterized queries" (a security best practice where user input is treated strictly as data and not as executable code), the application mixed the user-supplied key directly into the query text.

An unauthenticated attacker could trigger this vulnerability by sending a specially crafted Authorization header to any LLM API route, such as POST /chat/completions. The malicious input would reach the vulnerable database query through the proxy's error-handling path.

36 Hours from Patch to Probe

Security researcher Michael Clark from Sysdig reported that the first exploitation attempt occurred on April 26, 2026, at 16:17 UTC. This was approximately 26 hours after the GitHub advisory was indexed and less than 36 hours after it became public knowledge.

The exploitation occurred in two distinct phases originating from the IP addresses 65.111.27.132 and 65.111.25.67. The speed of these attacks highlights a "collapsed" exploitation window; threat actors no longer wait for a public Proof-of-Concept (PoC) code to be released. Instead, they use the vulnerability advisory and the open-source schema of the project to build their own exploits almost instantly.

High-Stakes Targeting: The Blast Radius

LiteLLM serves as a gateway for multiple AI services, including OpenAI, Anthropic, and AWS Bedrock. Because it centralizes these credentials, a successful breach of its database is compared to a cloud-account compromise rather than a standard web application leak.

Sysdig observed the attackers specifically targeting tables that hold high-value secrets:

• litellm_credentials.credential_values: Often contains keys with high monthly spending limits or administrative rights.
• litellm_config: Contains proxy runtime environment details.

Interestingly, the attackers ignored common tables like litellm_users, suggesting they were specifically hunting for "upstream" provider keys that would allow them to use expensive AI resources on the victim’s dime.

Mitigation and Steps for Moroccan Teams

If your Moroccan startup or enterprise uses LiteLLM to manage AI calls, you should take the following actions:

1. Immediate Update: Upgrade your LiteLLM Python package to version 1.83.7-stable or higher. This version contains the official patch from BerriAI.
2. Temporary Workaround: If you cannot upgrade immediately, modify your configuration. Set disable_error_logs: true under the general_settings section. This blocks the specific error-handling path that allows the malicious input to reach the database query.
3. Credential Rotation: Since it is currently uncertain whether data was successfully exfiltrated during the observed probes, it is a best practice to rotate any API keys (OpenAI, Anthropic, etc.) stored within the LiteLLM database if you were running a vulnerable version (>=1.81.16 <1.83.7) during the window of exploitation.

Conclusion

This incident underscores a shifting reality in cybersecurity: the "Zero Day Clock" is accelerating. For open-source tools with high adoption—LiteLLM has over 45,000 GitHub stars—the moment a patch is announced, the race begins. Moroccan tech teams must prioritize rapid patching cycles, especially for "gateway" components that act as a single point of failure for cloud credentials.

Source: The Hacker News - LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure