A critical, unauthenticated SQL injection vulnerability in LiteLLM — the open-source gateway that tens of thousands of organisations use to manage API access to OpenAI, Anthropic, and other AI providers — drew targeted exploitation attempts within 36 hours of its public disclosure, according to new research from Sysdig's Threat Research Team.
The flaw, tracked as CVE-2026-42208, affects LiteLLM versions 1.81.16 through 1.83.6. The vulnerability lies within the proxy's authentication step: the Bearer token from an HTTP request header is directly inserted into a SQL query without parameterization (a basic security safeguard), allowing any anonymous attacker to send crafted requests and pull arbitrary data from the PostgreSQL backend — no login required.
The database stores virtual API keys, provider credentials for services like OpenAI and AWS Bedrock, and the proxy's entire runtime environment configuration — effectively a master key to every AI service an organisation has connected to it.
Sysdig observed the first exploitation attempt at 04:24 UTC on April 26, just 36 hours and seven minutes after the advisory was indexed in GitHub's global advisory database on April 24.
The attacker, operating from two IP addresses in the same German autonomous system (AS200373, 3xK Tech GmbH), fired 29 UNION-based SQL injection payloads targeting precisely the three tables most likely to contain production secrets: LiteLLM_VerificationToken, litellm_credentials, and litellm_config.
That level of precision is what stood out to Sysdig's researchers. The attacker already knew LiteLLM's Prisma ORM table naming conventions — including the PascalCase quirk that generic scanners routinely miss — and went straight for credential-bearing tables, skipping benign ones entirely.
A second IP rotated roughly 20 minutes later, replaying the payload set and probing key management endpoints. The final request — a blunt OR 1=1-- — is consistent with an automated harness exhausting its full payload list.
No confirmed data extraction or key reuse was observed, but Sysdig is clear: absence of follow-through does not mean the attempt failed quietly.
The fix is available in v1.83.7, which replaces string interpolation with parameterized queries. Anyone running an internet-facing LiteLLM instance on a vulnerable version should patch immediately, rotate all stored credentials and virtual keys, and audit upstream provider billing logs for unexpected API activity.
The broader warning from Sysdig: AI gateways like LiteLLM aggregate cloud-grade credentials at a scale that makes a single SQL injection equivalent, in blast radius, to a full cloud account compromise. They should be treated accordingly.