CISA has officially added CVE-2026-42208, a critical SQL Injection vulnerability affecting BerriAI’s LiteLLM platform, to its Known Exploited Vulnerabilities (KEV) Catalog. Intelligence confirms active exploitation in the wild, meaning threat actors are already leveraging this flaw to target organizations. LiteLLM is widely used to standardize API calls for Large Language Models (LLMs), making this a high-value target for adversaries seeking to exfiltrate API keys, prompt data, or manipulate underlying databases. Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability immediately under Binding Operational Directive (BOD) 22-01. Private sector organizations must treat this with the same urgency to prevent data breaches and service disruption.
Technical Analysis
- CVE Identifier: CVE-2026-42208
- Affected Product: BerriAI LiteLLM
- Vulnerability Type: SQL Injection
- Attack Vector: Network
- Complexity: Low
- Privileges Required: None (typically)
- User Interaction: None
The vulnerability stems from insufficient input sanitization in specific endpoints of the LiteLLM API. By injecting malicious SQL statements into untrusted input fields, a remote, unauthenticated attacker can interact with the backend database. In the context of LiteLLM, which manages authentication tokens and usage logs for various LLM providers (OpenAI, Anthropic, etc.), successful exploitation could lead to:
- Authentication Bypass: Accessing the application without valid credentials.
- Data Exfiltration: Dumping tables containing sensitive API keys, user prompts, and internal logs.
- Data Integrity Loss: Modifying or deleting billing records or configuration data.
Exploitation Status: Confirmed Active Exploitation. CISA has added this to the KEV catalog based on evidence of active exploitation in the wild.
Detection & Response
This vulnerability allows for unauthenticated SQL injection. Defenders should focus on detecting HTTP requests containing SQL syntax targeting LiteLLM endpoints, as well as monitoring for suspicious process activity on the hosting server (e.g., Python spawning shells if RCE is achieved).
Sigma Rules
The following rules detect common SQL injection patterns in web logs and suspicious child process spawns from the Python runtime often associated with exploitation attempts.
---
title: Potential SQL Injection Attack on LiteLLM Endpoints
id: 8a4b2c12-6d8e-4f1a-9b3c-5d6e7f8a9b0c
status: experimental
description: Detects potential SQL injection attempts targeting LiteLLM API endpoints via URI query or body parameters.
references:
- https://www.cisa.gov/news-events/alerts/2026/05/08/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/05/08
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: apache
# or nginx, iis, etc. - adjust logsource as needed for environment
detection:
selection:
c-uri|contains:
- '/chat/completions'
- '/key/generate'
- '/completions'
cs-uri-query|contains:
- 'OR 1=1'
- 'UNION SELECT'
- '--'
- '/*'
- 'waitfor delay'
- 'sleep('
condition: selection
falsepositives:
- Developers testing inputs with SQL-like strings (rare)
level: high
---
title: Python Spawning Shell via SQL Injection
id: 9c5d3e21-7e9f-5a2b-0c4d-6e7f8a9b0c1d
status: experimental
description: Detects Python (often used by LiteLLM) spawning a shell process, which may indicate successful SQL injection leading to RCE or command execution.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/08
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/python3'
- '/python'
- '/uwsgi'
selection_child:
Image|endswith:
- '/sh'
- '/bash'
- '/zsh'
- '/nc'
- '/netcat'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks by developers
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for SQL injection syntax in web proxy logs (CommonSecurityLog) or Syslog ingested from LiteLLM hosts.
// Hunt for SQLi patterns in HTTP requests to LiteLLM paths
let sqli_patterns = dynamic(["OR 1=1", "UNION SELECT", "WAITFOR DELAY", "SLEEP(", "BENCHMARK(", "EXEC(", "' OR '1'='1", "' OR '1'='1'--"]);
let litellm_paths = dynamic(["/chat/completions", "/key/generate", "/model/list", "/user/new"]);
CommonSecurityLog
| where RequestURL has_any (litellm_paths)
| where RequestURL has_any (sqli_patterns) or RequestMethod has_any (sqli_patterns) or additional_extensions has_any (sqli_patterns)
| project TimeGenerated, DeviceName, SourceIP, RequestURL, RequestMethod, DestinationPort
| order by TimeGenerated desc
Velociraptor VQL
This artifact hunts for the presence of LiteLLM processes and checks for recent command-line arguments that might indicate exploitation or debugging attempts by attackers.
-- Hunt for LiteLLM processes and suspicious command lines
SELECT Pid, Name, Exe, CommandLine, Username, Ctime
FROM pslist()
WHERE Name =~ 'python'
AND (CommandLine =~ 'litellm' OR CommandLine =~ 'uvicorn' OR CommandLine =~ 'gunicorn')
-- Hunt for recent access to LiteLLM database files (SQLite) if applicable
SELECT FullPath, Size, Mode, Mtime, Atime
FROM glob(globs='/*/*.db')
WHERE FullPath =~ 'litellm'
AND timestamp(epoch=Atime) > now() - duration("1h")
Remediation Script
The following Bash script helps identify if LiteLLM is installed, checks the version (if accessible via pip), and attempts to upgrade to the latest secure version.
#!/bin/bash
# Remediation Script for CVE-2026-42208 (LiteLLM)
# Ensures LiteLLM is updated to the latest patched version
echo "[*] Checking for LiteLLM installation..."
# Check if litellm is installed
if ! command -v pip &> /dev/null && ! command -v pip3 &> /dev/null; then
echo "[!] pip not found. Please ensure Python/pip is installed."
exit 1
fi
PIP_CMD=$(command -v pip || command -v pip3)
# Check current version
CURRENT_VERSION=$($PIP_CMD show litellm 2>/dev/null | grep Version | awk '{print $2}')
if [ -z "$CURRENT_VERSION" ]; then
echo "[!] LiteLLM is not installed in this Python environment."
else
echo "[+] Current LiteLLM version found: $CURRENT_VERSION"
echo "[*] Updating LiteLLM to latest version..."
$PIP_CMD install --upgrade litellm
NEW_VERSION=$($PIP_CMD show litellm 2>/dev/null | grep Version | awk '{print $2}')
echo "[+] Updated LiteLLM version: $NEW_VERSION"
fi
echo "[*] Restarting LiteLLM service is required to apply patch."
echo "[*] Please run: systemctl restart litellm (or your equivalent container restart command)"
Remediation
- Patch Immediately: Apply the latest vendor updates for BerriAI LiteLLM. Discontinue use of unsupported versions immediately.
- Vendor Advisory: Refer to the official BerriAI security advisory for specific version numbers that address CVE-2026-42208.
- Input Validation: Until a patch can be applied, implement a Web Application Firewall (WAF) rule to block SQL injection keywords (
UNION,SELECT,OR 1=1,--) specifically targeting the/key/generateand/chat/completionsendpoints. - Least Privilege: Ensure the database account used by LiteLLM has the minimum necessary permissions (e.g., avoid
dboorrootaccess) to limit the impact of a breach. - Audit Logs: Review logs for successful HTTP 200 OK responses on the aforementioned endpoints occurring around the time of suspicious SQL syntax.
- CISA Deadline: Federal agencies must remediate this vulnerability by the deadline specified in CISA’s BOD 22-01.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.