CVE-2026-42271: Proof-of-Concept Exploit (Draft)

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.

Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.