US Public Data LabU.S. public data, made readable
EN
日本語 English
Critical Known exploited (KEV) CVE-2026-42208

SQL injection in LiteLLM, an LLM proxy (CVE-2026-42208) — the proxy's database and the credentials it manages are at risk

BerriAI LiteLLM Added to KEV May 8, 2026 Federal remediation due 2026-05-11

BerriAI LiteLLM, an open-source LLM proxy/gateway that unifies many LLM providers, has a SQL injection vulnerability. An attacker can read — and potentially modify — the proxy's database, leading to unauthorized access to the proxy and the credentials (API keys, etc.) it manages. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical).

Key facts

  • CVE IDCVE-2026-42208
  • CVSS base score9.8 CRITICAL
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected (vendor / product)BerriAI LiteLLM
  • CWECWE-89
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-05-11 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • SQL injection (CWE-89) in BerriAI LiteLLM (a popular OSS LLM proxy/gateway)
  • An attacker can read/modify the proxy's DB, reaching the proxy and the credentials it manages
  • An LLM proxy centrally manages many API keys/tokens = the "keyring" is exposed at once
  • Listed in CISA KEV = exploitation confirmed (CVSS 9.8 Critical)
  • Response: fix per vendor; rotate managed API keys/tokens on the assumption of leakage

CVE-2026-42208 is a SQL injection vulnerability (CWE-89) in BerriAI LiteLLM (a popular open-source LLM proxy/gateway that unifies access to many LLM providers behind a single interface). It was added to CISA's KEV catalog on May 8, 2026.

Per NVD, an attacker can exploit it to read data from the proxy's database and, in some cases, modify it. This is especially serious because an LLM proxy like LiteLLM holds the "keyring": it centrally manages connection details and API keys for many LLM providers (e.g. OpenAI and others), plus user tokens. If its database is compromised, the credentials for every LLM service reachable through the proxy can be exposed at once.

Like Langflow (CVE-2025-34291), this vulnerability targets AI infrastructure (the platform that runs and relays LLMs), showing that the software underpinning AI is being actively exploited.

Key response: apply mitigations/fixes per the vendor instructions. For cloud use, follow BOD 22-01 guidance, and discontinue use if mitigations are unavailable. Rotate (revoke and reissue) the API keys and tokens LiteLLM manages on the assumption of leakage. The federal civilian remediation deadline was May 11, 2026.

Why it matters

A case where compromising an LLM gateway can expose all the AI credentials it manages. Organizations running LLM proxies/gateways should, beyond patching, rotate API keys/tokens and review access logs — a prompt to revisit key management for AI infrastructure.

FAQ

What is LiteLLM?
A popular open-source proxy/gateway that lets you access many LLM providers (their APIs, etc.) through a unified interface.
Why are credentials at risk?
An LLM proxy centrally manages each provider's API keys and user tokens. If the database is read via SQL injection, those credentials can be exposed all at once.
What should I do?
Apply fixes/mitigations per the vendor, and revoke and reissue (rotate) the API keys and tokens LiteLLM manages on the assumption of leakage.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#AI#LLM#LiteLLM#SQL injection#Credentials

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.