~/f4n6 $ grep -r "CVE-2026-42208 — BerriAI LiteLLM: BerriAI LiteLLM SQL Injection Vulnerability" ./investigations/ --include="*.md"

CVE-2026-42208 — BerriAI LiteLLM: BerriAI LiteLLM SQL Injection Vulnerability

Jeff Davies 06 Jun 2026 3 min read

Issuer: Adverse Trace Date issued: 2026-06-06 Version: 1.0

1. Executive summary

BerriAI LiteLLM versions 1.81.16 through 1.83.6 contain a critical SQL injection vulnerability in the proxy API key validation path. An unauthenticated attacker can send a crafted Authorization header to any LLM API route (e.g. POST /chat/completions) and reach a vulnerable database query via the proxy's error-handling path, enabling full read/write access to the proxy database and compromise of all managed LLM credentials. The flaw is patched in version 1.83.7. EMEA financial services using LiteLLM as an AI gateway face immediate credential theft and proxy takeover risk; the vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog with a BOD 22-01 due date of 2026-05-11.

2. Regulatory framing

Regulation Article Practical impact
DORA Art. 17 (ICT risk management) Firms must identify LiteLLM as a critical ICT asset, assess this vulnerability, and apply patch or compensating controls within the ICT risk management framework.
DORA Art. 19 (Third-party ICT risk) Where LiteLLM is supplied by a third party, firms must ensure contractual remediation SLAs and verify vendor patch deployment (v1.83.7).
DORA Art. 28–30 (Incident reporting) Successful exploitation constitutes a major ICT incident; firms must report to competent authorities within 4 hours of detection and notify affected clients.
NIS2 Art. 21(2)(d) (Vulnerability handling) Essential/important entities must apply the vendor patch (v1.83.7) or documented mitigations without undue delay; maintain evidence for supervisory review.
NIS2 Art. 23 (Reporting obligations) Exploitation triggers early warning (24h) and incident notification (72h) to CSIRT/CA.
UK NIS Regs Reg. 10 (Security measures) / Reg. 11 (Incident reporting) UK operators of essential services/digital service providers must apply equivalent patching and reporting timelines.

3. Attack chain

Confirmed steps (per NVD/CISA description): 1. Attacker sends HTTP request to LiteLLM proxy endpoint (e.g. POST /chat/completions). 2. Request includes a specially crafted Authorization header containing SQL injection payload. 3. Proxy routes request through its error-handling path. 4. Vulnerable database query interpolates the caller-supplied key value directly into SQL text instead of using a parameterised query. 5. Injected SQL executes, allowing attacker to read and potentially modify the proxy database. 6. Attacker gains unauthorised access to the proxy and the LLM credentials it manages.

Unconfirmed / not observed in source material: Specific exploitation payloads, active exploitation campaigns, ransomware deployment, or post-exploitation lateral movement. CISA KEV listing confirms exploitation evidence exists but no public TTP details are disclosed. Attribution is unknown.

4. Mitigation & containment

P1 — within 24 hours - Upgrade all LiteLLM deployments to version 1.83.7 or later (vendor fix).

bash pip install --upgrade litellm==1.83.7 # or via container docker pull ghcr.io/berriai/litellm:main-v1.83.7

If immediate upgrade is impossible: block external access to all LiteLLM API routes (/chat/completions, /embeddings, /completions, /v1/*) at network perimeter / WAF / API gateway. - Deploy WAF rule to drop requests where Authorization header matches common SQLi patterns (' OR '1'='1, UNION SELECT, ;--, /*, */, xp_, sp_). - Rotate all LLM API keys and credentials stored in the proxy database immediately after patching.

P2 — within 72 hours - Audit proxy database for unauthorised schema changes, new users, or anomalous query logs (SELECT * FROM information_schema.tables, INSERT/UPDATE/DELETE on credential tables). - Enable LiteLLM request logging (set LITELLM_LOG=DEBUG) and ship logs to SIEM; alert on Authorization headers containing SQL meta-characters (', ;, --, /*, */). - Review third-party risk register (DORA Art. 19) for any downstream services consuming this proxy; notify them of credential rotation.

P3 — within 7 days - Conduct targeted penetration test against the proxy's authentication and error-handling paths. - Harden database account used by LiteLLM: least-privilege role, no DROP/ALTER/GRANT, read-only where feasible. - Update ICT asset inventory and third-party dependency mapping; document compensating controls for supervisory evidence (DORA Art. 17, NIS2 Art. 21(2)(d)).

5. Indicators of compromise

No indicators of compromise available in the source material.

6. Detection

YARA: Insufficient indicators to author detection rules. The source provides no file hashes, distinctive strings, mutex names, or binary artefacts.

Sigma (web proxy / LiteLLM access logs):

title: Suspicious Authorization Header on LiteLLM LLM API Endpoints
id: 3f8a9c1e-7d4b-4a2e-9f1c-6e5d8b2a1c9f
status: experimental
description: Detects potential SQL injection attempts via Authorization header on LiteLLM proxy API routes (CVE-2026-42208)
author: Adverse Trace
date: 2026-06-06
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-42208
logsource:
  category: webserver
  product: litellm
detection:
  selection_endpoint:
    cs-uri-stem|contains:
      - '/chat/completions'
      - '/embeddings'
      - '/completions'
      - '/v1/'
  selection_method:
    cs-method: 'POST'
  selection_sqli_header:
    cs(Authorization)|contains:
      - "' OR '1'='1"
      - 'UNION SELECT'
      - ';--'
      - '/*'
      - '*/'
      - 'xp_'
      - 'sp_'
  condition: selection_endpoint and selection_method and selection_sqli_header
falsepositives:
  - Legitimate API keys containing SQL-like substrings (rare)
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.42208

7. Sources

  • NVD, CVE-2026-42208 Detail, https://nvd.nist.gov/vuln/detail/CVE-2026-42208, published 2026-05-07
  • CISA, Known Exploited Vulnerabilities Catalog (referenced via NVD), https://www.cisa.gov/known-exploited-vulnerabilities-catalog, accessed 2026-06-06

8. Adverse Trace position

We assess this as Critical severity (CVSS 3.1 9.8 / CVSS 4.0 9.3) for any EMEA financial entity operating LiteLLM <1.83.7. The unauthenticated, network-exploitable nature combined with credential database compromise directly threatens DORA Art. 17/19 compliance and triggers NIS2 Art. 23 reporting if exploited. Adverse Trace will monitor for public exploit code, CISA KEV updates, and vendor advisories; we will issue a follow-up advisory if exploitation TTPs or IOCs become available. Clients should treat the 2026-05-11 BOD 22-01 due date as already lapsed and prioritise P1 actions immediately.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies