Full Report
In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying
Analysis Summary
# Morning News Roll-up April 29, 2026
## Overview
A critical SQL injection vulnerability in the LiteLLM AI gateway (CVE-2026-42208) has been weaponized by threat actors within 36 hours of public disclosure. The exploitation targets sensitive API credentials for major LLM providers like OpenAI and AWS.
## Top Stories
### LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
- Summary: Threat actors are actively exploiting a CVSS 9.3 vulnerability in the LiteLLM Python package to access and modify proxy databases containing high-value cloud credentials.
- Source: hxxps://thehackernews[.]com/2026/04/litellm-cve-2026-42208-sql-injection[.]html
### CTM360 Exposes Global GovTrap Campaign
- Summary: Researchers have identified a massive campaign involving over 11,000 fraudulent government portals designed to deceive citizens globally.
- Source: hxxps://thehackernews[.]com/expert-insights/2026/04/ctm360-exposes-global-govtrap-campaign[.]html
### TeamPCP Supply Chain Attack on LiteLLM
- Summary: Recent intelligence links the TeamPCP hacking group to previous supply chain attacks against LiteLLM aimed at stealing downstream user secrets.
- Source: hxxps://thehackernews[.]com/2026/03/teampcp-backdoors-litellm-versions[.]html
---
# Main Topic
**Exploitation of CVE-2026-42208: Critical SQL Injection in LiteLLM AI Gateway**
## Key Points
- **Rapid Exploitation:** The vulnerability was exploited in the wild approximately 26 hours after being indexed in the GitHub Advisory Database and within 36 hours of public knowledge.
- **Root Cause:** A failure to parameterize API keys in database queries allowed attackers to inject malicious SQL via the `Authorization` header.
- **High Impact:** Successful exploitation allows attackers to read and modify the `litellm_credentials` and `litellm_config` tables, which store high-value API keys for providers like OpenAI, Anthropic, and AWS Bedrock.
- **Professional Execution:** Attackers demonstrated knowledge of the open-source schema, bypassing generic probes to target specific sensitive tables and performing column-count enumeration.
## Threat Actors
- **Unknown Operator:** An unidentified threat actor was observed using two adjacent egress IPs to conduct multi-phase attacks.
- **TeamPCP (Related Context):** While not explicitly blamed for this specific SQLi, this group was previously identified conducting supply chain attacks against the same software.
## TTPs
- **SQL Injection (SQLi):** Exploiting unparameterized input in the proxy’s error-handling path.
- **Weaponized Headers:** Delivery of payloads via specially crafted `Authorization` headers to endpoints such as `POST /chat/completions`.
- **Reconnaissance:** Unauthenticated probing of key-management endpoints and database schema enumeration.
- **Infrastructure:** Use of rotating IP addresses (65.111.27[.]132 and 65.111.25[.]67) to continue attacks after initial detection.
## Affected Systems
- **Software:** BerriAI LiteLLM Python package.
- **Affected Versions:** Versions >= 1.81.16 and < 1.83.7.
- **Platform:** AI Gateways used to manage and centralize cloud-grade LLM credentials.
## IoCs
- **IPv4:** 65[.]111[.]27[.]132
- **IPv4:** 65[.]111[.]25[.]67
- **Vulnerability Identifier:** CVE-2026-42208 / GHSA-r75f-5x8p-qvmc
## Mitigations
- **Immediate Patching:** Update LiteLLM to version **1.83.7-stable** or later.
- **Workaround:** If patching is not immediately possible, set `disable_error_logs: true` under `general_settings` in the configuration to close the vulnerable code path.
- **Credential Rotation:** Users who suspect compromise should rotate all upstream LLM API keys (OpenAI, Anthropic, AWS Bedrock) stored within the LiteLLM proxy.
- **Monitoring:** Inspect logs for unusual activity involving the `Authorization` header and unauthorized access to key-management endpoints.
## Conclusion
The exploitation of CVE-2026-42208 highlights a shrinking "Exploit Window" where attackers weaponize flaws before many organizations can apply patches. Because LiteLLM centralizes high-value credentials, the blast radius of this SQL injection is comparable to a full cloud-account compromise. Organizations utilizing AI infrastructure must prioritize rapid patching and implement stringent input validation for all gateway components.