{"data":{"id":"4e7b8ba3-978d-4866-b04f-dc716f6e17cd","title":"GHSA-r75f-5x8p-qvmc: LiteLLM has SQL Injection in Proxy API key verification","summary":"LiteLLM's proxy API key verification has a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into input fields). An unauthenticated attacker could send a specially crafted authorization header to exploit this flaw and potentially read or modify the proxy's database, gaining unauthorized access to stored credentials.","solution":"Fixed in version 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later. Alternatively, if upgrading is not immediately possible, set `disable_error_logs: true` under `general_settings` to remove the path through which unauthenticated input reaches the vulnerable query.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r75f-5x8p-qvmc","publishedAt":"2026-04-24T16:17:07.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":[],"issueType":"vulnerability","affectedPackages":["litellm@>= 1.81.16, < 1.83.7 (fixed: 1.83.7)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LiteLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-24T16:17:07.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}