Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 8 pypi packages depend on litellm (8 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.81.16.
DescriptionCVE.org
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Articles & Coverage 3
AnalysisAI
SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.
Technical ContextAI
LiteLLM is a proxy server (AI Gateway) that translates requests to various LLM APIs into OpenAI-compatible format. The vulnerability stems from CWE-89 (SQL Injection) where user-supplied API key values from the Authorization header are concatenated directly into SQL query text during API key verification, rather than being passed as parameterized values. The affected component is the proxy's authentication layer, specifically within the error-handling code path. CPE identifier cpe:2.3:a:berriai:litellm indicates this affects the Python package distributed via PyPI. The flaw violates secure coding practices for database interactions, allowing attackers to break out of the intended query logic and execute arbitrary SQL commands against the proxy's backend database, which stores sensitive credential data for managed LLM services.
RemediationAI
Upgrade to LiteLLM version 1.83.7 or later, available at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable (patched release confirmed by vendor). The fix implements parameterized SQL queries for API key verification, eliminating the injection vector. For environments where immediate upgrade is not feasible, apply the vendor-recommended workaround: set disable_error_logs: true under general_settings in the LiteLLM configuration, which removes the error-handling code path through which unauthenticated input reaches the vulnerable query. Note this workaround may reduce operational visibility into authentication failures and should be considered temporary. After upgrading, rotate all LLM API credentials managed by the proxy, as attackers who previously exploited this vulnerability may have exfiltrated credential data. Docker users should verify image signatures using cosign per vendor instructions to ensure authenticity of the patched release.
Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit
Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoin
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28503
GHSA-r75f-5x8p-qvmc