CVE-2026-42208 LiteLLM Proxy — pre-auth SQL injection exposing upstream LLM-provider API keys at the multi-tenant SaaS layer

If you did nothing this week: in-the-wild exploitation began within approximately 36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication per Bishop Fox. Any LiteLLM Proxy instance that was internet-accessible during that window should be treated as having had its credential tables read. Patching to v1.83.7+ does not remediate pre-patch credential exposure — every upstream API key (OpenAI, Anthropic, Azure OpenAI, Cohere, every other configured provider) stored in the proxy database must be rotated (Bishop Fox — CVE-2026-42208 technical analysis, 2026-05-06 · LiteLLM vendor advisory, 2026-04-29). CISA KEV deadline 2026-05-11 (Monday).

The flaw is an f-string SQL injection in the PrismaClient.get_data() method: the caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep() against the LiteLLM_VerificationToken table (Bishop Fox's named example) — alongside the proxy's virtual-key, upstream-provider-credential, team-binding, and rate-limit configuration tables. On default deployments where the application database user holds superuser rights, the primitive is full read/write across the database (CWE-89, CVSS 9.3, T1190 Exploit Public-Facing Application, T1552.001 Credentials in Files).

The architectural lesson connects directly to the Braintrust AWS account compromise disclosed 2026-05-06 (see § 5): AI-evaluation, AI-observability, and AI-gateway SaaS platforms aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. EU public-sector AI pilots running through LiteLLM or any similar gateway should inventory which provider keys are held by which SaaS vendor; require per-environment scoping (dev / staging / prod) with short TTLs; enable provider-side anomaly alerts for unusual call-volume or geographic-origin shifts. Patching path: pip install --upgrade litellm to ≥ 1.83.7 or pull the updated container image.