💻 AppSec

LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV

CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.

3 min read
#litellm#ai-infrastructure#sql-injection#cve#cisa-kev#llm#ai-gateway#enterprise-ai#api-security

CISA has added CVE-2026-42208 — a SQL injection vulnerability in BerriAI LiteLLM — to the Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. LiteLLM is an open-source AI gateway and proxy that provides a unified API interface for routing LLM (large language model) requests to multiple AI providers, including OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Vertex, and over 100 others. It has been rapidly adopted in enterprise AI infrastructure as a standard component for managing LLM API access, rate limiting, model routing, and cost tracking.

Vulnerability Details

CVE-2026-42208 affects LiteLLM’s internal API endpoints for user and team management. The vulnerability is an unsanitised SQL injection in a query parameter that is incorporated into database queries without parameterisation. A remote attacker — authenticated as a standard API user or, in some deployment configurations, unauthenticated — can inject arbitrary SQL via the vulnerable parameter to:

  • Read API keys: LiteLLM stores API keys for all configured LLM providers in its database. A successful injection can extract these keys, providing direct access to the victim’s OpenAI, Anthropic, Azure, and other LLM provider accounts — with the associated billing and usage implications
  • Read user and team records: LiteLLM’s user and team management database includes user identities, roles, and spend tracking data
  • Modify model routing configuration: In some exploitation scenarios, the injection can modify LiteLLM model routing tables, potentially redirecting AI requests to attacker-controlled endpoints
  • Extract audit logs: LiteLLM maintains request logs that may contain the content of LLM requests — potentially including sensitive prompt content, user queries, and response data

Why LiteLLM’s KEV Addition Is Significant

The addition of a LiteLLM vulnerability to CISA KEV represents a milestone: it is the first AI infrastructure proxy component to enter KEV, reflecting the rapid deployment of AI gateway tooling into production enterprise environments and the corresponding attacker interest in that infrastructure.

LiteLLM deployments frequently hold high-value credentials:

  • OpenAI API keys with significant prepaid credit or active billing
  • Anthropic, Azure OpenAI, and Bedrock keys with enterprise contract spend limits
  • Access to internal company LLM deployments and proprietary model APIs

An attacker who exfiltrates LiteLLM’s API key database has obtained the ability to consume the victim’s AI provider credits, access any organisational data the LiteLLM instance has been granted access to, and potentially intercept future AI requests depending on the routing configuration.

Affected Versions and Remediation

All LiteLLM versions prior to 1.42.2 are affected. Update immediately:

pip install litellm==1.42.2
# or if using Docker:
docker pull ghcr.io/berriai/litellm:main-v1.42.2

Review after updating:

  1. Rotate all LLM provider API keys stored in your LiteLLM instance — treat them as potentially compromised
  2. Review LiteLLM access logs for anomalous API parameter patterns or unexpected query activity
  3. Audit LiteLLM database for unexpected modifications to model routing, user records, or team configurations

Deployment hardening:

  • Restrict LiteLLM’s management API endpoints (/user/*, /team/*, /model/*) to trusted internal IP addresses
  • Require API key authentication for all LiteLLM endpoints — do not deploy in unauthenticated mode
  • Store LLM provider API keys as environment variables rather than within LiteLLM’s database where possible

The KEV listing indicates that exploitation is occurring now — not as a theoretical future risk. If your organisation runs LiteLLM in production, treat this as an emergency update.

Share this article