Critical LiteLLM SQL Injection (CVSS 9.3) Exploited Within Hours of Disclosure
What Happened
A critical SQL injection vulnerability (CVE-2026-42208) in LiteLLM, the popular open-source AI gateway proxy, was exploited almost immediately after public disclosure. Rated at CVSS 9.3, the flaw allows attackers to access sensitive database information — including API keys, model configurations, and usage data — through crafted queries to the gateway.
LiteLLM is widely used in enterprise and startup environments as a unified proxy layer for routing requests to multiple LLM providers (OpenAI, Anthropic, Azure, etc.). Exploitation of this vulnerability could expose credentials for every connected AI service.
Sources
Why It Matters
This is a textbook example of why AI infrastructure is becoming a prime attack surface. LiteLLM sits in a privileged position — it’s the gateway between your applications and your AI providers, handling API keys, routing logic, and usage metadata. A SQL injection at this layer doesn’t just leak data from one service; it potentially compromises access to every LLM provider you’ve configured.
The speed of exploitation — hours, not days — underscores that threat actors are actively monitoring AI infrastructure CVE disclosures. If you’re running LiteLLM, patch immediately and rotate all API keys that were configured through the gateway. This also serves as a reminder that the AI tooling ecosystem is maturing faster than its security posture.
