LiteLLM pre-auth SQLi flaw under active exploitation, secrets harvested

A critical SQL injection vulnerability in LiteLLM, tracked as CVE-2026-42208, is being actively exploited to extract API keys and provider credentials from the popular LLM gateway. The flaw sits in the proxy’s API key verification path, letting an unauthenticated attacker inject SQL via a crafted Authorization header on any LLM API route. The maintainers patched it in version 1.83.7 by replacing string concatenation with parameterized queries; an interim workaround sets disable_error_logs: true to block the vulnerable path.

Sysdig researchers observed exploitation roughly 36 hours after public disclosure on April 24. The attacker skipped reconnaissance against benign tables and went straight for those holding API keys, master keys, OpenAI/Anthropic/Bedrock credentials, and environment configs. A second phase used rotated IPs and tighter payloads against the now-known schema, suggesting a deliberate operator rather than opportunistic scanning.

With 45k GitHub stars, LiteLLM is widely embedded in multi-model AI stacks, making the blast radius significant. Any internet-exposed instance on a vulnerable version should be treated as compromised, with every virtual key, master key, and stored provider credential rotated. The incident lands shortly after a separate supply-chain attack on the project via malicious PyPI packages from TeamPCP that deployed credential-harvesting infostealers.