{"data":{"id":"370415db-e88d-4130-962d-a7662dd55a4c","title":"Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw","summary":"Hackers are actively exploiting CVE-2026-42208, a critical SQL injection flaw (a type of attack where malicious code is hidden in input to manipulate database queries) in LiteLLM, an open-source gateway that lets developers access multiple AI models through one interface. The vulnerability allows attackers to bypass authentication and steal sensitive data like API keys and credentials stored in the proxy's database, which they can then use to attack other systems.","solution":"LiteLLM released a fix in version 1.83.7 that replaces string concatenation with parameterized queries (a safer way to construct database queries). For users unable to upgrade immediately, maintainers suggest the workaround of setting 'disable_error_logs: true' under 'general_settings' to block the path through which malicious inputs can reach the vulnerable query. Additionally, organizations with exposed LiteLLM instances should rotate all virtual API keys, master keys, and provider credentials.","labels":["security"],"sourceUrl":"https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/","publishedAt":"2026-04-28T21:07:23.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":[],"issueType":"news","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LiteLLM","OpenAI","Anthropic","AWS Bedrock"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-28T21:07:23.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}