April 2026 — A critical SQL injection vulnerability in the widely used LiteLLM Python package has been actively exploited in the wild just 36 hours after public disclosure, highlighting how rapidly attackers are now weaponizing newly released AI infrastructure flaws.
The vulnerability, tracked as CVE-2026-42208 (CVSS 9.3), affects BerriAI’s LiteLLM proxy system and enables unauthenticated attackers to manipulate backend databases, potentially exposing or altering sensitive API credentials used in large language model (LLM) deployments.
Critical Flaw in AI Gateway Software
LiteLLM is an open-source AI gateway used to manage and route requests across multiple LLM providers. Security researchers say the flaw stems from improper handling of user-supplied input in database queries.
The issue occurs during proxy API key validation, where attacker-controlled data is directly inserted into SQL queries instead of being safely parameterized. This allows a specially crafted request—delivered via an HTTP Authorization header—to reach vulnerable database logic without authentication.
Successful exploitation could allow attackers to:
- Read sensitive database records
- Modify proxy configurations
- Access stored API keys and credentials
- Potentially compromise connected cloud services
Rapid Exploitation Within Hours of Public Disclosure
According to security telemetry, the first exploitation attempt occurred on April 26 at 16:17 UTC, roughly 26 hours after the advisory was indexed in public vulnerability databases.
Researchers observed malicious traffic originating from multiple IP addresses, including 65.111.27[.]132 and 65.111.25[.]67, suggesting coordinated activity by a single operator.
Attackers reportedly targeted high-value database tables such as:
litellm_credentials.credential_valueslitellm_config
These tables commonly store sensitive cloud provider keys and runtime configuration data.
Focus on High-Value Cloud Credentials
Security firm Sysdig warned that compromised LiteLLM databases can expose credentials with significant financial and operational access, including API keys for major AI providers and cloud infrastructure services.
In many environments, a single stolen credential can provide access to:
- Enterprise AI service accounts
- Cloud workloads and storage systems
- Billing and administrative control panels
Researchers compared the potential impact to a full cloud account compromise rather than a typical application-level breach.
Prior Supply Chain Concerns Raise Alarm
The incident adds to growing concerns around the security of AI infrastructure tools. LiteLLM has previously been targeted in supply chain attacks, including an incident linked to the TeamPCP threat group, which attempted to steal downstream user credentials.
With more than 45,000 GitHub stars and widespread enterprise adoption, the platform has become an attractive target for attackers seeking centralized access to AI workloads.
Patch Released, Mitigation Recommended
The vulnerability affects LiteLLM versions:
It was patched in version 1.83.7-stable, released on April 19, 2026.
However, due to the speed of exploitation, organizations that delayed patching have already been exposed.
Recommended Mitigation Steps:
Security maintainers advise immediate upgrading to the latest version. For systems unable to patch immediately, disabling error logging using disable_error_logs: true under general settings can reduce exposure pathways.
Security Experts Warn of Shrinking Response Windows
Researchers say this incident reflects a broader shift in cyber threat timelines, where attackers now exploit vulnerabilities within hours of disclosure—often before defenders can deploy patches.
The behavior observed in this case, including targeted database enumeration and credential-focused probing, indicates that exploitation no longer depends on public proof-of-concept code.
