CVE-2026-42208
Confirmed PUBLISHEDLiteLLM: SQL injection in Proxy API key verification
1 day faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
- CVE Published
- May 08, 2026
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 9.3 Critical
- EPSS
- 84.5%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Red Hat |
Lightspeed Core
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Ansible Automation Platform 2
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat OpenShift AI (RHOAI)
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat OpenShift AI (RHOAI)
|
All versions (default: unaffected) |
Unaffected |
| BerriAI |
litellm
|
>= 1.81.16, < 1.83.7 |
Affected |
CVE References
- https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc github.com · CVE Record https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p...
- https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable github.com · CVE Record https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CVE First | 2026-06-01 13:26 UTC |
| CISA | 2026-06-02 14:01 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-42208.yaml | Jun 01, 2026 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 13:26:37 UTC · CVE
Proof of concept available
Recorded 2026-06-12 14:21:13 UTC · Nuclei Templates
Weaknesses (CWE)
-
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-42208.yaml | Jun 01, 2026 |
Recent Mentions
Github Advisory Database (PIP) · Jun 26, 2026
Impact semantic-router versions 0.1.8 through 0.1.14 declare litellm>=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel. The malicious litellm==1.82.8 wheel ships a litellm_init.pth file that executes on Python interpreter startup — no import required. It collects and exfiltrates: Process environment variables AWS / GCP / Azure credentials SSH keys, Kubernetes configs, shell history Database credentials and CI/CD secrets Cryptocurrency wallets Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to https://models.litellm.cloud/. See upstream: BerriAI/litellm#24512 and CVE-2026-42208. Patches Fixed in semantic-router 0.1.15, which raises the floor to litellm>=1.83.7. Workarounds If developers cannot upgrade immediately: Pin litellm>=1.83.7,!=1.82.8 explicitly in their own project. Audit site-packages/ for litellm_init.pth and delete if present. Rotate any credentials reachable from environments where an affected install ran. Credit Upstream report and triage by the litellm maintainers — see issue #24512. One caveat before publishing CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model. References https://github.com/aurelio-labs/semantic-router/security/advisories/GHSA-98x5-vq43-vc5p https://github.com/advisories/GHSA-98x5-vq43-vc5p
Rapid7 · Jun 26, 2026
Help shape the future of Metasploit FrameworkWe are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here, and you can submit your responses to the form here. The form will stop accepting responses on the 1st of July, 2026.New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfox, and improvements to service and host reporting in bruteforce-related modules.New module content (4)Audiobookshelf Unauthenticated API Authentication Bypass ScannerAuthors: Kenneth LaCroix and swiftbird07Type: AuxiliaryPull request: #21565 contributed by kenlacroixPath: scanner/http/audiobookshelf_auth_bypassAttackerKB reference: CVE-2025-25205Description: Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1).BerriAI LiteLLM Proxy Pre-Auth SQL Injection ScannerAuthors: Kenneth LaCroix and Tencent YunDing Security LabType: AuxiliaryPull request: #21567 contributed by kenlacroixPath: scanner/http/litellm_proxy_sqliAttackerKB reference: CVE-2026-42208Description: Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy.Next.js Middleware Authorization Bypass ScannerAuthors: Kenneth LaCroix, Rachid Allam, and Yasser AllamType: AuxiliaryPull request: #21566 contributed...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-18 23:40:32 UTC · 0 stars
A local lab for studying, reproducing, and verifying the patch for CVE-2026-42208: an unauthenticated SQL injection in LiteLLM's API key authentication path.
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:21 UTC about 1 month ago14:21 UTC · about 1 month ago
Public PoC available
Public proof-of-concept code published
-
14:01 UTC about 1 month ago14:01 UTC · about 1 month ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
15:34 UTC about 2 months ago15:34 UTC · about 2 months ago
Nuclei template available
Scanner coverage available
-
13:26 UTC about 2 months ago13:26 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
03:38 UTC 2 months ago03:38 UTC · 2 months ago
CVE published
Vulnerability disclosed publicly
-
05:04 UTC 3 months ago05:04 UTC · 3 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-42208
{
"cve_id": "CVE-2026-42208",
"title": "LiteLLM: SQL injection in Proxy API key verification",
"affected_vendor": "BerriAI",
"affected_product": "litellm",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.3,
"epss_score": 0.84518,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}