Description
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: 86.6% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because LiteLLM concatenates the caller‑supplied API key directly into an SQL statement used for proxy authentication. This improper input handling creates a classic SQL injection point (CWE‑89). An attacker who can send a request to any LLM API route, such as POST /chat/completions, can exploit the error‑handling path to inject SQL that reads or modifies data stored in the proxy’s database.

Affected Systems

The flaw affects BerriAI LiteLLM versions 1.81.16 through 1.83.6 inclusive. Any deployment that has not upgraded to the patched release 1.83.7 or later is vulnerable. The issue is present in all environments where the proxy API is reachable over the network, including public internet exposure or untrusted internal networks.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of 87% shows a high likelihood of exploitation. The vulnerability is listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can send a specially crafted Authorization header in a standard HTTP request to trigger the vulnerable query, requiring no credentials. Successful exploitation yields full read and write access to the proxy’s database, potentially exposing all stored API keys and credentials.

Generated by OpenCVE AI on July 6, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiteLLM to version 1.83.7 or later, which removes the vulnerable parameterization logic.
  • If an upgrade cannot be performed immediately, restrict traffic to the proxy API to trusted IP ranges using firewall rules or place the API behind VPN or require mutual TLS authentication to limit exposure.
  • Limit the proxy’s database access by configuring the database user with least‑privilege permissions and, if possible, bind the database to localhost or a private network segment to reduce the attack surface.

Generated by OpenCVE AI on July 6, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r75f-5x8p-qvmc LiteLLM has SQL Injection in Proxy API key verification
History

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-08T00:00:00+00:00', 'dueDate': '2026-05-11T00:00:00+00:00'}


Fri, 08 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in LiteLLM. A database query used for proxy API key checks incorrectly incorporated caller-supplied key values directly into the query. This vulnerability allows an unauthenticated attacker to send a specially crafted Authorization header to any Large Language Model (LLM) API route, exploiting the proxy's error-handling path. Successful exploitation could enable the attacker to read and potentially modify data within the proxy's database, leading to unauthorized access to the proxy and its managed credentials. LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Title LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection LiteLLM: SQL injection in Proxy API key verification
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Thu, 30 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Berriai
Berriai litellm
Vendors & Products Berriai
Berriai litellm

Thu, 30 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in LiteLLM. A database query used for proxy API key checks incorrectly incorporated caller-supplied key values directly into the query. This vulnerability allows an unauthenticated attacker to send a specially crafted Authorization header to any Large Language Model (LLM) API route, exploiting the proxy's error-handling path. Successful exploitation could enable the attacker to read and potentially modify data within the proxy's database, leading to unauthorized access to the proxy and its managed credentials.
Title LiteLLM: LiteLLM: Unauthorized data access and modification via SQL injection
Weaknesses CWE-89
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Critical


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T12:34:19.762Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42208

cve-icon Vulnrichment

Updated: 2026-06-29T12:34:19.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:19.923

Modified: 2026-06-17T10:47:30.823

Link: CVE-2026-42208

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-28T00:00:00Z

Links: CVE-2026-42208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T21:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')