CVE-2026-42208: LiteLLM Proxy API Key SQL Injection

Active Exploitation Warning

This vulnerability is confirmed by CISA to be actively exploited in the wild.

Executive Summary

LiteLLM versions 1.81.16 through 1.83.6 contain a critical SQL injection vulnerability (CVE-2026-42208) in the proxy API key verification service. An unauthenticated attacker can exploit this flaw by submitting crafted Authorization: Bearer headers to any proxy API route. The vulnerability originates from direct concatenation of user input into SQL queries. Successful exploitation grants attackers access to the proxy database, enabling potential credential exfiltration and unauthorized access. Immediate patching to version 1.83.7 or higher is mandatory.

Root Cause Analysis

The identified vulnerability resides within the API key validation logic of the LiteLLM proxy server. Technical review of the affected codebase reveals that the proxy server performs database lookups to verify incoming API keys. In affected versions, the input provided within the Authorization header is concatenated directly into the SQL query string used for this verification.

The injection point is triggered when the proxy’s error-handling mechanism invokes the key check after an initial validation failure. An attacker does not require valid credentials to reach this vulnerable path. By injecting SQL commands into the Bearer token string, an attacker causes the proxy server to execute unauthorized queries against the backend database.

Exploit Analysis

The attack vector is network-based and requires no authentication. An attacker sends a standard POST request to any public-facing LLM route (e.g., /chat/completions) with an Authorization header containing an SQL payload instead of a legitimate API key.

The backend database executes the injected SQL, allowing for the extraction of stored keys, configuration settings, and other metadata. Because the application logic fails to parameterize the input, the injected SQL becomes part of the application query context.

Forensic Markers

Detection should focus on monitoring for anomalies within web proxy logs and database activity:

1. Malicious Authorization Headers: Network logs showing high volumes of POST requests where the Authorization header contains suspicious character sequences associated with SQL injection (e.g., SELECT, UNION, INSERT).
2. Proxy Internal Errors: A spike in 500-series status codes within LiteLLM logs corresponding to requests with malformed or suspicious Bearer tokens, indicating failed injection attempts being logged through the error path.
3. Database Abnormalities: Database query logs showing unexpected SELECT or UNION operations originating from the proxy service account that do not align with standard API key verification traffic.

Detection Rules

Sigma Rule

title: Detect LiteLLM SQL Injection Attempt
logsource:
  product: litellm
  category: web_server
detection:
  selection:
    http_method: 'POST'
    http_header_authorization: '*Bearer *'
  keywords:
    - 'SELECT '
    - 'UNION '
    - 'INSERT '
    - 'UPDATE '
    - 'DELETE '
    - 'FROM '
  condition: selection AND keywords
level: critical

Mitigation

Upgrade to LiteLLM version 1.83.7 or later, where database queries have been refactored to use parameterized input methods.

If an immediate upgrade is not feasible, the following temporary configuration change mitigates the exploit by disabling the vulnerable code path:

• Set disable_error_logs: true in the LiteLLM configuration file.