Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: 54.3% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the database query that validates the proxy API key. The query concatenates the caller‑supplied key directly into the SQL text, a classic SQL injection weakness (CWE‑89). An attacker can send a specially crafted Authorization header to any LLM API route handled by the proxy, triggering the vulnerable query. Successful exploitation allows the attacker to read records from the proxy’s database and, in some cases, modify or delete them, thereby gaining unauthorized control over the proxy and the credentials it manages.

Affected Systems

The vulnerability affects BerriAI's LiteLLM library versions 1.81.16 through 1.83.6. Any deployment that has not applied the patched release 1.83.7 or later is vulnerable. Systems that expose the proxy API to untrusted networks are especially at risk.

Risk and Exploitability

This is a critical flaw with a CVSS score of 9.3. The exploitation requires no credentials and relies on a standard HTTP header, making the attack straightforward for an attacker with network access to the proxy endpoint. The EPSS score of 54% indicates a high probability of exploitation, and the vulnerability is listed in CISA KEV. Successful exploitation leads to full read/write control over the proxy’s database and the stored API keys.

Generated by OpenCVE AI on May 22, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later, which removes the vulnerable query and uses parameterized statements.
  • If an immediate upgrade is not possible, restrict access to the proxy API by firewall rules that limit inbound traffic to trusted IP ranges and enforce TLS client authentication when feasible.
  • Bind the database server to localhost or a private network segment so that only the proxy can reach it, reducing the exposure window.
  • Ensure the database user account used by LiteLLM has least‑privilege permissions, limiting it to the minimum operations required for the proxy to function.

Generated by OpenCVE AI on May 22, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r75f-5x8p-qvmc LiteLLM has SQL Injection in Proxy API key verification
History

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-08T00:00:00+00:00', 'dueDate': '2026-05-11T00:00:00+00:00'}

Fri, 08 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in LiteLLM. A database query used for proxy API key checks incorrectly incorporated caller-supplied key values directly into the query. This vulnerability allows an unauthenticated attacker to send a specially crafted Authorization header to any Large Language Model (LLM) API route, exploiting the proxy's error-handling path. Successful exploitation could enable the attacker to read and potentially modify data within the proxy's database, leading to unauthorized access to the proxy and its managed credentials. LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Title LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection LiteLLM: SQL injection in Proxy API key verification
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Thu, 30 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Thu, 30 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in LiteLLM. A database query used for proxy API key checks incorrectly incorporated caller-supplied key values directly into the query. This vulnerability allows an unauthenticated attacker to send a specially crafted Authorization header to any Large Language Model (LLM) API route, exploiting the proxy's error-handling path. Successful exploitation could enable the attacker to read and potentially modify data within the proxy's database, leading to unauthorized access to the proxy and its managed credentials.
Title LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
Weaknesses CWE-89
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Critical

Subscriptions

Berriai Litellm
Litellm Litellm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:55:45.157Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42208

cve-icon Vulnrichment

Updated: 2026-05-08T10:47:23.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:19.923

Modified: 2026-05-08T19:19:34.537

Link: CVE-2026-42208

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-42208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses