GHSA-r75f-5x8p-qvmc: LiteLLM has SQL Injection in Proxy API key verification
Summary
LiteLLM's proxy API key verification has a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into input fields). An unauthenticated attacker could send a specially crafted authorization header to exploit this flaw and potentially read or modify the proxy's database, gaining unauthorized access to stored credentials.
Solution / Mitigation
Fixed in version 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later. Alternatively, if upgrading is not immediately possible, set `disable_error_logs: true` under `general_settings` to remove the path through which unauthenticated input reaches the vulnerable query.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-r75f-5x8p-qvmc
First tracked: April 24, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%