The LiteLLM SQL Injection (CVE-2026-42208) and Why AI Gateways Are Crown Jewels

A midweek briefing, because this one is concrete and time-sensitive in a way the usual durable-class items aren’t. Verify every specific below against the NVD record ↗ and the project advisory before you act — this is analysis, not an advisory feed — but the short version is: if you run LiteLLM, this is your week to patch and rotate.

What it is

CVE-2026-42208 ↗ is a pre-authentication SQL injection in LiteLLM, the popular open-source proxy / “AI gateway” that sits in front of model APIs and brokers requests to many providers. Per NVD: a database query used during proxy API-key checks mixed the caller-supplied key value into the query text instead of passing it as a separate bound parameter. The consequence is the textbook one — an unauthenticated attacker sends a crafted Authorization header to any LLM API route (say POST /chat/completions), and the value reaches the vulnerable query through the proxy’s error-handling path.

NVD lists it CRITICAL — CVSS v3.1 9.8 and CVSS v4.0 9.3 — affecting versions 1.81.16 up to (not including) 1.83.7. Confirm that range against your deployment; the patched release is 1.83.7.

There is nothing exotic here. It’s a missing parameterized query, the same bug class web apps have been getting wrong since the 1990s. What makes it a headline is where it lives.

Why an AI gateway is a crown-jewel target

A proxy like LiteLLM exists to centralize access to your model providers. That means it concentrates, in one place, the things an attacker most wants:

• The virtual/proxy API keys your applications use to call the gateway.
• The upstream provider credentials the gateway uses to call OpenAI, Anthropic, your self-hosted models, and the rest.
• Configuration and routing that maps your entire AI surface.

Public reporting on this CVE (Sysdig’s threat-research team, among others) describes an attacker who, within roughly 36 hours of the advisory becoming widely indexed, went straight for the tables holding exactly those secrets — virtual keys and provider credentials. That’s not opportunistic scanning; that’s someone who understood what a gateway holds. And the bug being a read/write SQL injection means the exposure isn’t just “they reached the database” — it’s “assume they read the secrets in it.”

The other signal you shouldn’t miss: CISA added this to its Known Exploited Vulnerabilities catalog ↗. KEV inclusion means active exploitation is confirmed and federal agencies get a hard remediation deadline. For everyone else, KEV is the clearest “this is not theoretical” flag the U.S. government publishes.

Why patching alone isn’t the fix

Because the injection exposes stored secrets, upgrading to 1.83.7 stops the bleeding but doesn’t undo what may already have leaked. If you ran an affected version while it was exploitable, the durable response is to treat the gateway’s secrets as potentially compromised:

• Rotate the upstream provider credentials the proxy held. Those are the keys to your actual model spend and data.
• Rotate the virtual API keys issued through the proxy, and re-issue to your applications.
• Review provider-side usage logs for anomalous calls during the exposure window — unfamiliar models, regions, or volumes.

This is the part teams skip, and it’s the part that matters. A patched proxy with leaked provider keys is still a breached proxy.

What to check this week

• Do you run LiteLLM, and on what version? Compare against the affected range (1.81.16 to before 1.83.7) on NVD ↗. Don’t forget shadow deployments — a gateway someone stood up for one team’s experiment is still holding real keys.
• Patch to 1.83.7+, then rotate every credential the proxy stored. Patch is necessary; rotation is the cleanup.
• Constrain the database account the proxy uses to least privilege, so the next SQL-injection-class bug in any AI middleware reads less.
• Treat the gateway as a tier-one web application. It deserves the same WAF, monitoring, and secret-management discipline as your most sensitive internal service — because functionally, it is one.

The durable lesson, the one that outlives this specific CVE: the OWASP LLM Top 10 ↗ spends most of its attention on the model, but the most valuable target in many AI deployments isn’t the model — it’s the boring infrastructure that concentrates the credentials around it. Secure the plumbing like it’s the crown jewels, because to an attacker it is.

— Theo