CVE-2026-42208: Critical Pre-Auth SQL Injection in LiteLLM AI Gateway
Related CVEs
Related Vulnerability Groups
Other CVEs in Same Group
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute arbitrary commands on the host system. Two MCP (Model Context Protocol) test endpoints accept stdio transport configurations including command, args, and env fields, then spawn the supplied command as a subprocess with proxy process privileges. Authentication with any valid API key, including low-privilege internal-user keys, bypasses intended PROXY_ADMIN role restrictions. Patch available in version 1.83.7. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS scoring is not provided in available data.
Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.