Skip to main content

LiteLLM CVE-2026-42208

| EUVDEUVD-2026-28503 CRITICAL
SQL Injection (CWE-89)
2026-05-08 GitHub_M GHSA-r75f-5x8p-qvmc
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
9.8 CRITICAL
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Added to CISA KEV
May 08, 2026 - 17:18 CISA
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:32 vuln.today
Analysis Generated
May 08, 2026 - 04:32 vuln.today
CVSS changed
May 08, 2026 - 04:22 NVD
9.3 (CRITICAL)
CVE Published
May 08, 2026 - 03:38 nvd
CRITICAL 9.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 pypi packages depend on litellm (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.81.16.

DescriptionCVE.org

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

AnalysisAI

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.

Technical ContextAI

LiteLLM is a proxy server (AI Gateway) that translates requests to various LLM APIs into OpenAI-compatible format. The vulnerability stems from CWE-89 (SQL Injection) where user-supplied API key values from the Authorization header are concatenated directly into SQL query text during API key verification, rather than being passed as parameterized values. The affected component is the proxy's authentication layer, specifically within the error-handling code path. CPE identifier cpe:2.3:a:berriai:litellm indicates this affects the Python package distributed via PyPI. The flaw violates secure coding practices for database interactions, allowing attackers to break out of the intended query logic and execute arbitrary SQL commands against the proxy's backend database, which stores sensitive credential data for managed LLM services.

RemediationAI

Upgrade to LiteLLM version 1.83.7 or later, available at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable (patched release confirmed by vendor). The fix implements parameterized SQL queries for API key verification, eliminating the injection vector. For environments where immediate upgrade is not feasible, apply the vendor-recommended workaround: set disable_error_logs: true under general_settings in the LiteLLM configuration, which removes the error-handling code path through which unauthenticated input reaches the vulnerable query. Note this workaround may reduce operational visibility into authentication failures and should be considered temporary. After upgrading, rotate all LLM API credentials managed by the proxy, as attackers who previously exploited this vulnerability may have exfiltrated credential data. Docker users should verify image signatures using cosign per vendor instructions to ensure authenticity of the patched release.

CVE-2026-42271 HIGH POC
8.7 May 08

Remote command execution in LiteLLM proxy server versions 1.74.2 through 1.83.6 allows any authenticated user to execute

CVE-2024-2952 CRITICAL POC
9.8 Apr 10

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. Rated critical s

CVE-2026-40217 HIGH POC
8.8 Apr 10

Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute ar

CVE-2024-4888 HIGH POC
8.1 Jun 06

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on t

CVE-2025-0330 HIGH POC
7.5 Mar 20

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error oc

CVE-2024-9606 HIGH POC
7.5 Mar 20

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerabi

CVE-2024-6587 HIGH POC
7.5 Sep 13

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. Rated high severity (CVSS

CVE-2024-5225 HIGH POC
7.2 Jun 06

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` en

CVE-2024-4889 HIGH POC
7.2 Jun 06

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated

CVE-2024-5710 MEDIUM POC
6.5 Jun 27

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. Rated med

CVE-2024-5751 CRITICAL
9.8 Jun 27

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated crit

CVE-2026-12795 MEDIUM POC
5.5 Jun 21

Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoin

Vendor StatusVendor

Share

CVE-2026-42208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy