The U.S. Cybersecurity and Infrastructure Security Agency on May 8, 2026, added a critical SQL injection vulnerability in BerriAI’s LiteLLM AI proxy to its Known Exploited Vulnerabilities Catalog. The flaw, tracked as CVE-2026-42208, carries a CVSS score of 9.8 and has been actively exploited in the wild, making it a high-priority patching target for any organization using the popular open-source tool to manage large language model integrations.

CISA’s KEV catalog is a living list of vulnerabilities that federal agencies—and, by extension, critical infrastructure operators—must patch within strict timelines. Inclusion signals not just theoretical risk but confirmed weaponization by threat actors. For CVE-2026-42208, the agency gave federal civilian executive branch agencies until June 5, 2026, to apply mitigations, but security experts warn that private-sector deployments are equally at risk.

The Vulnerability: SQL Injection in LiteLLM’s Query Handling

At its core, CVE-2026-42208 is a classic SQL injection flaw, but one that strikes at the heart of modern AI application stacks. The vulnerability resides in LiteLLM’s database interaction layer, specifically how user-controlled input is processed before being passed to SQL queries. An attacker can craft malicious input—often through API parameters or chat completion requests—that alters the intended SQL statement.

This can allow an unauthenticated remote attacker to:
- Exfiltrate sensitive data stored in the LiteLLM database, including API keys, user roles, and usage logs.
- Modify or delete data, potentially disrupting AI service operations.
- Escalate privileges by injecting database commands that grant administrative access.
- In some configurations, achieve remote code execution on the underlying host by chaining with database server features.

The vulnerability exists because LiteLLM fails to properly parameterize queries in several backend modules, particularly those handling dynamic prompt routing and cost tracking. According to the CVE record, the flaw affects all LiteLLM versions prior to 1.48.3, and the maintainers released a patch on May 2, 2026, just days before CISA’s action.

LiteLLM’s Role in AI Infrastructure

LiteLLM is an open-source proxy that sits between applications and multiple LLM providers like OpenAI, Anthropic, Cohere, and Azure OpenAI. It handles tasks such as load balancing, failover, rate limiting, cost tracking, and API key management. For many enterprises, it has become the central spine of their generative AI deployment.

Its appeal lies in its simplicity: with a single Python package, teams can unify access to dozens of models under a consistent API. But that central role also means a compromise can expose not just one model endpoint but the entire LLM fabric of an organization. Many LiteLLM instances are deployed with production databases—PostgreSQL, MySQL, or SQLite—that store persistent configuration and secrets.

“LiteLLM is the kind of tool that becomes so deeply embedded you forget it’s there,” said Clara Mendez, a principal security researcher at DevNull Labs. “One SQL injection bug can dump every API key your company uses—OpenAI, Anthropic, Azure—right into an attacker’s hands. That’s a catastrophic data exfiltration scenario.”

The active exploits seen by CISA and third-party researchers appear to target exactly that: automated scraping of API keys and user tokens from exposed LiteLLM instances. In some observed cases, attackers used the stolen keys to generate expensive LLM queries—draining victim budgets—or to feed malicious content into downstream applications.

Why SQL Injection Still Matters in AI Proxies

SQL injection is one of the oldest web application vulnerabilities, yet it persists because input sanitization remains inconsistent, especially in rapidly developed open-source tools. In the AI space, where new libraries and proxies proliferate weekly, security reviews often lag behind feature releases. LiteLLM’s case is a stark reminder that even tools handling bleeding-edge AI workloads are built on traditional web stacks where OWASP Top 10 flaws can thrive.

The dangerous nuance in AI proxies is the data they hold. Unlike a typical web app that might store user profile information, a compromised AI proxy can give attackers:
- Direct access to LLM credentials, allowing abuse of expensive models.
- The ability to intercept or modify prompts and responses, enabling prompt injection or data poisoning across all users.
- Insight into internal usage patterns, which can reveal sensitive business logic.
- A pivot point into other internal services if the proxy is co-located in the network.

“This is a supply-chain-style vulnerability,” said Alex Chen, CEO of AI security startup ModGuard. “If I compromise your LiteLLM instance, I compromise every AI API you consume. And because LiteLLM is often run as a sidecar or internal service, perimeter defenses rarely inspect its traffic.”

CISA’s KEV and Binding Operational Directive 22-01

CISA’s Known Exploited Vulnerabilities Catalog was established under Binding Operational Directive 22-01, which mandates that federal agencies remediate identified vulnerabilities within two weeks for internet-facing systems and 30 days otherwise. While the directive legally applies only to U.S. federal agencies, CISA explicitly recommends that all organizations—public and private—use the KEV list as a prioritization framework.

The addition of CVE-2026-42208 marks a notable shift: KEV entries have historically skewed toward operating system, network appliance, and common enterprise software flaws. AI-specific infrastructure is increasingly appearing as attackers recognize the value of AI pipelines. In 2025 and early 2026, KEV additions included several machine-learning framework vulnerabilities, but this LiteLLM entry is among the first targeting a dedicated AI gateway proxy.

CISA’s brief advisory notes that “this vulnerability has been detected in exploitation against U.S. critical infrastructure sectors, including financial services and healthcare,” underscoring the broad deployment of LLM proxies in regulated industries.

Active Exploitation Evidence

Details of the in-the-wild exploitation remain limited as investigations continue, but several threat intelligence firms have published preliminary findings. The attack patterns suggest a two-stage operation:

  1. Discovery and Exploitation: Shodan and similar search engines readily identify exposed LiteLLM instances, many of which run on default ports without authentication. Attackers send specially crafted HTTP requests containing SQL injection payloads in query parameters or JSON body fields. Successful exploits dump the database schema, then extract tables containing API keys, configuration secrets, and user credentials.

  2. Post-Exploitation Abuse: With the stolen keys, attackers spin up their own LLM queries—often bypassing rate limits set by the victim—or resell the keys on underground markets. In one case documented by Mandiant, threat actors used compromised Azure OpenAI keys to generate thousands of convincing phishing emails distributed via enterprise tenants, bypassing content filters that were set at the application level.

GreyNoise, a threat intelligence platform, observed scanning activity for LiteLLM endpoints beginning around April 28, 2026, a week before the patch release, and exploitation attempts surged after the patch publicized the vulnerability.

Mitigation and Patching

BerriAI released LiteLLM version 1.48.3 on May 2, 2026, which completes the transition to parameterized queries across all database backends. The patch also introduces enhanced input validation for dynamic routing rules and deprecates a legacy query builder that was particularly susceptible.

Immediate steps for organizations:
- Upgrade LiteLLM to version 1.48.3 or later, ideally to the latest release to pick up additional hardening.
- Rotate all API keys stored in or used by LiteLLM, especially if you have any evidence or suspicion of compromise. This includes keys for LLM providers, database credentials, and internal service tokens.
- Audit access logs for unusual patterns, such as anomalous high-cost queries, queries from unexpected IPs, or spikes in database error messages that might indicate injection attempts.
- Implement network segmentation to ensure the LiteLLM instance is not directly exposed to the internet. Use a reverse proxy with authentication and IP filtering for any necessary external access.
- Monitor CISA’s KEV catalog and enroll in vulnerability feeds for the open-source tools in your AI supply chain.

For those unable to patch immediately, virtual patching via a web application firewall (WAF) can block common SQL injection patterns, but this is a stopgap, as sophisticated attackers can often evade signature-based detection.

Broader Implications for AI Security

CVE-2026-42208 is a wake-up call about the expanding attack surface in the AI ecosystem. As organizations rush to adopt generative AI, they increasingly deploy middleware like LiteLLM, LangChain, Semantic Kernel, and custom agents that stitch together sensitive components. These new layers often lack the mature security practices that have been forced—sometimes painfully—into traditional software over decades.

Industry reaction has been brisk. The Cloud Security Alliance’s AI Safety Working Group cited the LiteLLM incident in an emergency bulletin, urging members to inventory all AI middleware and apply the same vulnerability management rigor as for any internet-facing system. Several bug bounty platforms saw a spike in submissions related to AI proxy tools following the CISA announcement.

Open-source maintainers also face new pressure. BerriAI responded quickly, but the incident highlights the asymmetric burden on small teams maintaining libraries that have become critical infrastructure. The project’s GitHub repository shows a flurry of community activity: two dedicated code reviewers now audit all database-related changes, and a $10,000 bug bounty was posted for similar injection flaws.

Looking Ahead

The LiteLLM SQL injection vulnerability will likely not be the last high-severity flaw in AI orchestration tools. As CISA’s KEV catalog continues to expand with AI-related entries, expect increased regulatory scrutiny. The EU’s AI Act and U.S. executive orders on AI safety both include requirements for supply chain risk management, which are certain to encompass the open-source proxies and frameworks that underpin enterprise AI.

For defenders, the lesson is clear: treat AI middleware with the same rigor as any production service. That means routine vulnerability scanning, prompt patching, credential rotation, and the assumption that any internet-facing component will be targeted. The attackers have already moved in; the only question is how quickly the defense can adapt.