Which versions of LiteLLM are affected by this vulnerability?

LiteLLM versions from 1.81.16 up to, but not including, 1.83.7 are affected by CVE-2026-42208.

How can organizations mitigate the risk associated with CVE-2026-42208?

Organizations should upgrade to LiteLLM version 1.83.7 or later to address the vulnerability and prevent potential exploitation.

Critical SQL Injection Vulnerability in LiteLLM Exploited in the Wild

CVE-2026-42208, a severe SQL injection flaw in LiteLLM, has been actively exploited, emphasizing the need for immediate patching to secure AI infrastructures.

Published: May 9, 2026

Share this on:

Executive Summary

In April 2026, a critical SQL injection vulnerability, CVE-2026-42208, was identified in BerriAI's LiteLLM, an open-source AI proxy. This flaw allows unauthenticated attackers to execute arbitrary SQL commands via a crafted 'Authorization' header, potentially leading to unauthorized data access and modification. The vulnerability affects LiteLLM versions from 1.81.16 up to, but not including, 1.83.7. Exploitation was observed within 36 hours of disclosure, with attackers targeting sensitive database tables. (thehackernews.com)

The rapid exploitation of CVE-2026-42208 underscores the critical need for prompt vulnerability management in AI infrastructure. Organizations utilizing LiteLLM should immediately upgrade to version 1.83.7 or later to mitigate this risk. (advisories.gitlab.com)

Why This Matters Now

The swift exploitation of CVE-2026-42208 highlights the urgency for organizations to promptly address vulnerabilities in AI systems to prevent unauthorized data access and potential breaches.

Attack Path Analysis

An unauthenticated attacker exploited a SQL injection vulnerability in LiteLLM's API key verification process to gain unauthorized access to the proxy's database. The attacker then escalated privileges by extracting and utilizing stored API credentials, allowing access to connected LLM providers. Using the compromised credentials, the attacker moved laterally to other systems and services integrated with LiteLLM. The attacker established command and control by maintaining persistent access through the compromised API keys. Sensitive data was exfiltrated from the connected LLM providers and the LiteLLM database. The attack resulted in unauthorized access to AI models and potential data manipulation, impacting the integrity and confidentiality of the services.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

Medium

Initial Compromise

Description

An unauthenticated attacker exploited a SQL injection vulnerability in LiteLLM's API key verification process to gain unauthorized access to the proxy's database.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-42208
CVSS 9.8
An SQL injection vulnerability in LiteLLM allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access and data modification.
Affected Products:
BerriAI LiteLLM – 1.81.16 to before 1.83.7
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-42208 https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Persistence

T1505.001

SQL Stored Procedures

Defense Evasion

T1078

Valid Accounts

Command and Control

T1071

Application Layer Protocol

Credential Access

T1003

OS Credential Dumping

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Injection Flaws

Control ID: 6.5.1

The SQL injection vulnerability in BerriAI LiteLLM indicates a failure to prevent injection flaws, violating PCI DSS requirement 6.5.1.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The exploitation of a known vulnerability suggests inadequate implementation of a comprehensive cybersecurity policy as mandated by NYDFS 500.03.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident highlights deficiencies in the ICT risk management framework required by DORA Article 5, particularly in identifying and mitigating known vulnerabilities.

CISA ZTMM 2.0 – Identity

Control ID: Pillar 1

The attack exploiting valid accounts indicates weaknesses in identity management, contravening the Identity pillar of CISA's Zero Trust Maturity Model 2.0.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The successful exploitation of a known vulnerability reflects a failure to implement appropriate cybersecurity risk management measures as required by NIS2 Article 21.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

BerriAI LiteLLM SQL injection vulnerability directly impacts AI/ML software platforms, requiring immediate remediation of application vulnerabilities in development frameworks.

Information Technology/IT

Active exploitation of CVE-2026-42208 threatens IT infrastructure managing AI services, demanding priority patching and enhanced application security controls.

Financial Services

SQL injection attacks against AI platforms pose compliance risks under PCI DSS, threatening customer data and requiring immediate vulnerability remediation.

Health Care / Life Sciences

Healthcare AI systems using LiteLLM face HIPAA compliance violations through SQL injection, risking patient data exposure and regulatory penalties.

Sources

CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2026/05/08/cisa-adds-one-known-exploited-vulnerability-catalog
Verified

NVD - CVE-2026-42208https://nvd.nist.gov/vuln/detail/CVE-2026-42208

Verified

LiteLLM Security Advisory GHSA-r75f-5x8p-qvmchttps://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc

Verified

Frequently Asked Questions

CVE-2026-42208 is a critical SQL injection vulnerability in BerriAI's LiteLLM, allowing unauthenticated attackers to execute arbitrary SQL commands via a crafted 'Authorization' header.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF may not prevent the initial SQL injection, it could limit the attacker's ability to exploit the compromised database to access other systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation could limit the attacker's ability to use compromised credentials to access connected LLM providers.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security could limit the attacker's ability to move laterally to other systems and services.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control could limit the attacker's ability to maintain persistent access through compromised API keys.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement could limit the attacker's ability to exfiltrate sensitive data from the environment.

Impact (Mitigations)

While Aviatrix CNSF may not prevent the initial compromise, it could limit the attacker's ability to access AI models and manipulate data.

Impact at a Glance

Affected Business Functions

API Gateway Operations
Credential Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Unauthorized access to API keys and sensitive database information.

Recommended Actions

• Implement inline intrusion prevention systems (IPS) to detect and block SQL injection attempts in real-time.
• Enforce zero trust segmentation to limit lateral movement by restricting access between workloads and services.
• Apply egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize multicloud visibility and control solutions to detect anomalous interactions and repeated malformed requests indicative of exploitation attempts.
• Regularly update and patch software components to remediate known vulnerabilities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical SQL Injection Vulnerability in LiteLLM Exploited in the Wild

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-42208

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

SQL Stored Procedures

Valid Accounts

Application Layer Protocol

OS Credential Dumping

Potential Compliance Exposure

PCI DSS 4.0 – Injection Flaws

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads