Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw

LiteLLM has become a de‑facto middleware for developers building multi‑model AI applications, offering a unified API that abstracts provider‑specific quirks. Its open‑source nature and rapid adoption—evidenced by over 45,000 GitHub stars—make it a prime target for attackers seeking to harvest high‑value credentials. The CVE‑2026‑42208 flaw stems from insecure string concatenation during API‑key verification, allowing a malicious Authorization header to inject arbitrary SQL. Because the proxy stores API keys for OpenAI, Anthropic, Bedrock, and custom environments, a successful injection can expose the entire secret vault, enabling credential reuse across cloud services.

The exploitation timeline underscores the agility of modern threat actors. Sysdig researchers recorded targeted requests to the /chat/completions endpoint within 36 hours of the advisory’s public release, indicating that the vulnerability was actively scanned and weaponized. Attackers demonstrated precise knowledge of the database schema, bypassing benign tables and homing in on credential stores. This behavior, coupled with a concurrent supply‑chain attack involving malicious PyPI packages, suggests a coordinated effort to compromise AI infrastructure at scale. The rapid pivot to new IP addresses further points to evasion tactics designed to avoid detection by traditional network monitoring.

Mitigation now hinges on immediate version upgrades to LiteLLM 1.83.7, which implements parameterised queries, eliminating the injection vector. Organizations unable to upgrade should enable the "disable_error_logs" setting to block the vulnerable code path, but must also rotate all stored keys and secrets, treating any exposed instance as compromised. The incident serves as a cautionary tale for the broader AI ecosystem: as LLM integration deepens, the security of supporting middleware becomes as critical as the models themselves. Proactive code reviews, dependency scanning, and zero‑trust credential management are essential safeguards against similar supply‑chain and injection threats.