Share
## https://sploitus.com/exploit?id=07B8B2D9-F4E3-5CBE-80A3-7287CAAD00E4
# Threat Intelligence Brief - CVE-2026-42208: BerriAI LiteLLM SQL Injection

**CVE:** CVE-2026-42208  
**GHSA:** GHSA-r75f-5x8p-qvmc  
**CVSS Score:** 9.3 (Critical)  
**Affected Software:** BerriAI LiteLLM versions >= 1.81.16, = 1.81.16 and = 1.83.7-stable |

---

## Detection Opportunities

### Network/WAF Level
Look for HTTP requests to LiteLLM endpoints containing SQL metacharacters in the Authorization header:

```
Authorization: Bearer ' OR 1=1--
Authorization: Bearer '; SELECT * FROM LiteLLM_VerificationToken--
Authorization: Bearer ' UNION SELECT--
```

Indicators to hunt for in proxy logs:
- Requests to `/chat/completions`, `/embeddings`, or other API routes with malformed bearer tokens
- Bearer values containing single quotes, double dashes, UNION, SELECT, or other SQL keywords
- High volume of 4xx responses from the proxy with varied Authorization headers from the same source IP

### Database Level
- Unexpected SELECT queries against `LiteLLM_VerificationToken` with unusual WHERE clauses
- Access to credential or configuration tables outside normal application query patterns
- New or modified API key records not created through the admin UI

### MITRE ATT&CK

| Technique | ID | Description |
|---|---|---|
| Exploit Public-Facing Application | T1190 | SQL injection against internet-accessible LiteLLM proxy |
| Credentials from Password Stores | T1555 | Extraction of API keys and cloud credentials from proxy database |
| Valid Accounts: Cloud Accounts | T1078.004 | Use of stolen cloud provider credentials post-exploitation |

---

## Recommended Actions

**Immediate (if running affected versions):**
1. Upgrade to LiteLLM >= 1.83.7-stable immediately
2. If internet-facing during the vulnerable window (April 19 - patch deployment), treat as a potential compromise -- do not assume unpatched = uncompromised
3. Rotate all API keys and cloud credentials stored in the LiteLLM database
4. Review proxy access logs for SQL injection indicators in Authorization headers

**Short-term:**
5. Restrict network access to the LiteLLM proxy port -- it should not be directly internet-facing without authentication in front of it
6. Enable database query logging to detect future injection attempts
7. Add WAF rules to inspect Authorization headers for SQL metacharacters

**Ongoing:**
8. Subscribe to CISA KEV alerts -- this vulnerability was being actively exploited before most patch cycles would have caught it
9. Treat AI infrastructure as high-value credential stores -- the same security controls applied to secrets managers should apply to LLM proxy deployments

---

## Analyst Notes

**Why AI infrastructure is a growing target:** LiteLLM and similar tools sit at a privileged position -- they hold credentials to paid cloud services with high spend limits and are often deployed by engineering teams rather than security teams, with less mature security review. The Sysdig team specifically noted that LiteLLM operators "trust it to centralize cloud-grade credentials," making it an attractive target for credential theft and LLM service abuse (using stolen API keys to run their own queries against paid models).

**The 36-hour exploitation window is a benchmark:** This is not an anomaly. Threat actors actively monitor CVE publication feeds and advisory databases. For critical, pre-auth vulnerabilities in widely-used open-source software, assume exploitation begins within 24-48 hours of public disclosure. Patch SLAs need to account for this reality -- a 30-day patch window is not appropriate for CVSS 9+ pre-auth vulnerabilities.

**CISA KEV as a prioritization signal:** The KEV catalog only includes vulnerabilities with confirmed real-world exploitation. If a CVE appears in KEV, it is not theoretical -- someone has already used it against real targets. Organizations should treat KEV additions as immediate action items regardless of their internal CVSS-based prioritization thresholds.

---

## References

- [CISA KEV -- CVE-2026-42208](https://www.cisa.gov/news-events/alerts/2026/05/08/cisa-adds-one-known-exploited-vulnerability-catalog)
- [Sysdig TRT Analysis](https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure)
- [The Hacker News Coverage](https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html)
- [Security Affairs](https://securityaffairs.com/191483/hacking/cve-2026-42208-litellm-bug-exploited-36-hours-after-its-disclosure.html)
- [GHSA-r75f-5x8p-qvmc](https://github.com/advisories/GHSA-r75f-5x8p-qvmc)
- [MITRE ATT&CK T1190](https://attack.mitre.org/techniques/T1190/)
- [MITRE ATT&CK T1555](https://attack.mitre.org/techniques/T1555/)