CVE-2026-42208
BerriAI LiteLLM SQL Injection Vulnerability - [Actively Exploited]
Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
INFO
Published Date :
May 8, 2026, 4:16 a.m.
Last Modified :
July 15, 2026, 2:21 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the credentials it manages.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc ; https://nvd.nist.gov/vuln/detail/CVE-2026-42208
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update LiteLLM to version 1.83.7 or later.
- Verify the database query parameter handling.
Public PoC/Exploit Available at Github
CVE-2026-42208 has a 25 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-42208.
| URL | Resource |
|---|---|
| https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable | Product Release Notes |
| https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc | Mitigation Patch Vendor Advisory |
| https://access.redhat.com/security/cve/CVE-2026-42208 | Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2463965 | Mitigation Third Party Advisory |
| https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42208.json | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-42208 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-42208
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Personal exploit library — verified CVE PoCs rewritten from scratch
Python
보안관제 자동화 툴 및 탐지 규칙(YARA/Snort) 툴킷
Python
GitHub profile
Standalone Python 3 proof-of-concept exploits for recent CVEs - each with a write-up and a screenshot of a real run. For authorized security testing and education only.
cve exploit penetration-testing poc proof-of-concept python security-research vulnerability
Python C
Attack-surface monitoring for self-hosted & AI-infra services: a pull-only agent runs CVE detections on-host (only findings leave), a FastAPI control plane serves a signed catalog, scores posture, and AI-drafts new detections.
ai-security attack-surface-management cve devsecops fastapi golang monitoring multi-tenant react security self-hosted vulnerability-scanner
Makefile Go Dockerfile Python Mako HTML JavaScript TypeScript CSS Shell
A local lab for studying, reproducing, and verifying the patch for CVE-2026-42208: an unauthenticated SQL injection in LiteLLM's API key authentication path.
Python Dockerfile
None
Shell
CVE-reactive pipeline: polls CISA KEV, enriches from NVD, matches AI/ML platforms, cross-references a surveyed-host corpus, counts Shodan exposure, scores P1-P4, routes findings to visorlog and ntfy.
Python
CVE-2026-42208 - LiteLLM SQL Injection vulnerability scanner for BerriAI LiteLLM proxy instances
Python
Curadoria viva de projetos e insights sobre AI agents, multi-agent systems, e infra de produção. Atualizado automaticamente pelo Growth Agent.
None
Python
None
Shell Python Dockerfile
None
Dockerfile Python CSS HTML Shell JavaScript
None
Dockerfile Python
Threat intelligence brief on CVE-2026-42208, a critical pre-auth SQL injection in BerriAI LiteLLM exploited within 36 hours of disclosure. Covers attack path, detection opportunities, and recommended actions.
ai-security blue-team cisa-kev cve cybersecurity litellm sql-injection threat-intelligence vulnerability-analysis
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-42208 vulnerability anywhere in the article.
-
The Hacker News
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed LiteLLM is a widely ... Read more
-
TheCyberThrone
CISA adds BerriAI LiteLLM & Check Point Security Gateway to KEV
CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog on June 8, 2026, confirming active exploitation of both. The two entries are CVE-2026-42271 (BerriAI LiteLLM Command Injec ... Read more
-
The Hacker News
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of ... Read more
-
security.nl
VS waarschuwt voor actief misbruik van SQL Injection-lek in LiteLLM
Aanvallers maken actief misbruik van een kritiek SQL Injection-lek in BerriAI LiteLLM, zo waarschuwt het Amerikaanse cyberagentschap CISA. Er is een nieuwe versie uitgebracht waarin het probleem is ve ... Read more
The following table lists the changes that have been made to the
CVE-2026-42208 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Jul. 15, 2026
Action Type Old Value New Value Changed Affected [{'cpes': ['cpe:/a:redhat:lightspeed_core'], 'vendor': 'Red Hat', 'product': 'Lightspeed Core', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_ai'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift AI (RHOAI)', 'defaultStatus': 'unaffected'}] [{'cpes': ['cpe:/a:redhat:lightspeed_core'], 'vendor': 'Red Hat', 'product': 'Lightspeed Core', 'packageName': 'lightspeed-core/lightspeed-stack-rhel9', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2', 'packageName': 'ansible-automation-platform-26/lightspeed-chatbot-rhel9', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_ai'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift AI (RHOAI)', 'packageName': 'rhoai/odh-llama-stack-core-rhel9', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_ai'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift AI (RHOAI)', 'packageName': 'rhoai/odh-mlflow-rhel9', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}] -
Modified Analysis by [email protected]
Jun. 29, 2026
Action Type Old Value New Value Added Reference Type redhat-SADP: https://access.redhat.com/security/cve/CVE-2026-42208 Types: Third Party Advisory Added Reference Type redhat-SADP: https://bugzilla.redhat.com/show_bug.cgi?id=2463965 Types: Mitigation, Third Party Advisory Added Reference Type redhat-SADP: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42208.json Types: Third Party Advisory -
CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Jun. 27, 2026
Action Type Old Value New Value Added Affected [{'cpes': ['cpe:/a:redhat:lightspeed_core'], 'vendor': 'Red Hat', 'product': 'Lightspeed Core', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:ansible_automation_platform:2'], 'vendor': 'Red Hat', 'product': 'Red Hat Ansible Automation Platform 2', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/a:redhat:openshift_ai'], 'vendor': 'Red Hat', 'product': 'Red Hat OpenShift AI (RHOAI)', 'defaultStatus': 'unaffected'}] Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-89 Added Reference https://access.redhat.com/security/cve/CVE-2026-42208 Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=2463965 Added Reference https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42208.json -
CVE Modified by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'BerriAI', 'product': 'litellm', 'versions': [{'status': 'affected', 'version': '>= 1.81.16, < 1.83.7'}]}] -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2026-42208', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'yes'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-05-08T00:00:00+00:00'} -
Initial Analysis by [email protected]
May. 08, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:* versions from (including) 1.81.16 up to (excluding) 1.83.7 Added Reference Type GitHub, Inc.: https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable Types: Product, Release Notes Added Reference Type GitHub, Inc.: https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc Types: Mitigation, Patch, Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208 Types: US Government Resource -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
May. 08, 2026
Action Type Old Value New Value Added Date Added 2026-05-08 Added Due Date 2026-05-11 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name BerriAI LiteLLM SQL Injection Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 08, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208 -
New CVE Received by [email protected]
May. 08, 2026
Action Type Old Value New Value Added Description LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-89 Added Reference https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable Added Reference https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc