.png "CVE-2026-42208: Targeted SQL injection against LiteLLM’s authentication path discovered 36 hours following vulnerability disclosure")
Sysdig TRT observed a rapid, pre-auth SQL injection (CVE-2026-42208 / GHSA-r75f-5x8p-qvmc) against LiteLLM that used UNION-based payloads to enumerate tables holding virtual API keys, provider credentials, and environment variables. The operator executed schema-aware column-count discovery from rotating egress IPs but Sysdig saw no confirmed authenticated follow-on; patch to v1.83.7 and rotate exposed keys immediately. #LiteLLM #CVE-2026-42208
Keypoints
- Critical pre-auth SQL injection (CVE-2026-42208 / GHSA-r75f-5x8p-qvmc) in LiteLLM allowed arbitrary SELECTs against the PostgreSQL backend by concatenating the Authorization: Bearer value into a query without parameterization.
- The advisory was indexed in the GitHub Advisory Database on 2026-04-24 and the first observed exploitation attempt occurred 36 hours and seven minutes later (2026-04-26 04:24 UTC).
- Sysdig TRT captured precise, non-generic UNION-based schema enumeration targeting three high-value tables: LiteLLM_VerificationToken, litellm_credentials, and litellm_config (environment_variables).
- The operator demonstrated schema knowledge (Prisma PascalCase table names) and ran textbook column-count discovery, implying prior access to the schema or deliberate reconnaissance/LLM assistance.
- Exploitable instances expose cloud-grade provider keys and master/virtual API keys; successful extraction would allow unauthenticated reuse (replay to /chat/completions) and large blast radius across upstream accounts.
- Recommended mitigations: update to v1.83.7, rotate all keys and provider credentials for internet-reachable instances, restrict proxies behind authenticated reverse proxies, and monitor logs for the distinctive request signatures.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application β The vulnerability is a pre-auth SQL injection in the proxy auth-check allowing arbitrary SELECTs: βthe injection is fully pre-auth: any HTTP client that can reach the proxy port is sufficient.β
- [T1567 ] Exfiltration Over Web Service β Data was returned directly in HTTP responses using UNION SELECT payloads to leak columns: βthat column carries the leaked data back in the response body.β
- [T1078 ] Valid Accounts β Exfiltrated virtual or master keys could be replayed to upstream endpoints to gain access: βOnce a virtual key or master key is exfiltrated, it can be replayed against /chat/completions from any IP.β
Indicators of Compromise
- [IP address ] Exploitation sources β 65.111.27.132, 65.111.25.67 (adjacent /22 in AS200373 observed issuing UNION-based SQLi and probes)
- [ASN / Operator ] Egress attribution β AS200373 (3xK Tech GmbH) β both observed IPs belong to this operator
- [HTTP endpoints ] Targeted URIs β /chat/completions (POST), /key/generate, /key/info (unauthenticated probes after SQLi attempts)
- [HTTP header pattern ] Authorization header injection pattern β Authorization: Bearer header beginning with βsk-litellm'β (single-quote terminator) and containing SQL keywords/UNION SELECT payloads
- [User-Agent ] Request signature β Python/3.12 aiohttp/3.9.1 (consistent across observed requests)
- [Vulnerability identifiers ] Advisory references β GHSA-r75f-5x8p-qvmc, CVE-2026-42208 (patch available in v1.83.7)