A critical-severity vulnerability in the open source AI gateway LiteLLM was exploited days after public disclosure to access database tables containing sensitive information, Sysdig reports.
The security defect is described as an SQL injection during the proxy API key verification process and is identified as CVE-2026-42208, with a CVSS score of 9.3.
In an April 20 advisory, LiteLLM’s maintainers explained that a database query used during key verification did not pass the caller-supplied value as a separate parameter, including it in the query instead.
This allowed an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route and access the query via the proxy’s error-handling path.
“The call happens before authentication (auth) is decided, so the injection is fully pre-auth: any HTTP client that can reach the proxy port is sufficient,” Sysdig notes.
By exploiting the issue, the attacker could access the LiteLLM proxy’s database to read and potentially modify data, allowing them to leak credentials stored in the database.
On April 24, the advisory was indexed in the GitHub Advisory database, and the first attacks exploiting the flaw were observed 36 hours later, Sysdig says.
The cybersecurity firm observed the attackers specifically targeting three database tables containing sensitive information such as API keys, provider credentials, and the proxy’s environment variable configuration.
“The operator already knew LiteLLM’s Prisma-generated PostgreSQL identifier casing and ran a textbook column-count discovery sweep against each target table,” Sysdig explains.
Despite the targeted nature of the attacks, no continuation was observed, and the extracted keys and credentials have not been abused.
The observed attacks, the cybersecurity firm says, were performed 21 minutes apart, likely through an automated tool that used the same payload but rotated the origin IP addresses.
“The novelty of this finding is the speed and precision of the schema-enumeration attempt, not a confirmed compromise,” Sysdig notes.
LiteLLM version 1.83.7 resolves the vulnerability by ensuring that the caller-supplied value is always passed as a separate parameter. Users are advised to update to the patched release as soon as possible or to disable error logs to mitigate the exploitation path.
Related: 38 Vulnerabilities Found in OpenEMR Medical Software
Related: Chrome 147, Firefox 150 Security Updates Rolling Out
Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows
Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
