LiteLLM Proxy pre-auth SQL injection — all upstream LLM API keys at risk (CVSS 9.3, KEV deadline 2026-05-11)

If you did nothing this week: in-the-wild exploitation began within approximately 36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication per Bishop Fox. Any LiteLLM Proxy instance that was internet-accessible during that window should be treated as having had its credential tables read. Patching to v1.83.7+ does not remediate pre-patch credential exposure — every upstream API key (OpenAI, Anthropic, Azure OpenAI, Cohere, every other configured provider) stored in the proxy database must be rotated (Bishop Fox — CVE-2026-42208 technical analysis, 2026-05-06 · LiteLLM vendor advisory, 2026-04-29). CISA KEV deadline 2026-05-11 (Monday).

The flaw is an f-string SQL injection in the PrismaClient.get_data() method: the caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep() against the LiteLLM_VerificationToken table (Bishop Fox's named example) — alongside the proxy's virtual-key, upstream-provider-credential, team-binding, and rate-limit configuration tables. On default deployments where the application database user holds superuser rights, the primitive is full read/write across the database (CWE-89, CVSS 9.3, T1190 Exploit Public-Facing Application, T1552.001 Credentials in Files).

The architectural lesson connects directly to the Braintrust AWS account compromise disclosed 2026-05-06 (see § 5): AI-evaluation, AI-observability, and AI-gateway SaaS platforms aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. EU public-sector AI pilots running through LiteLLM or any similar gateway should inventory which provider keys are held by which SaaS vendor; require per-environment scoping (dev / staging / prod) with short TTLs; enable provider-side anomaly alerts for unusual call-volume or geographic-origin shifts. Patching path: pip install --upgrade litellm to ≥ 1.83.7 or pull the updated container image.

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.