Technical description
A critical SQL injection vulnerability (CVSS 9.3) in the open-source LiteLLM AI gateway allows unauthenticated attackers to access and modify database contents during proxy API key verification. The flaw occurs because the database query includes caller-supplied values directly in the query string rather than using parameterized queries, and the vulnerability is triggered before authentication, making it fully pre-auth. Sysdig observed attackers specifically targeting three database tables containing API keys, provider credentials, and environment variable configuration.
Attack vector
An unauthenticated attacker sends a specially crafted Authorization header to any LLM API route exposed by the LiteLLM proxy. The malicious input is incorporated into an SQL query executed during key verification, before any authentication check. The attacker can then read credentials stored in the database or modify data, enabling credential theft and potential lateral movement to connected LLM providers.
Affected systems
LiteLLM proxy deployments prior to the patch released on April 20, 2026. LiteLLM is a widely-used open-source AI gateway that sits between applications and LLM providers (OpenAI, Anthropic, Azure OpenAI, etc.), handling authentication, load balancing, and cost tracking. Any organization using LiteLLM to manage LLM API access is affected.
Mitigation
Upgrade LiteLLM immediately to the patched version released on April 20, 2026. Review proxy access logs for suspicious Authorization headers or SQL errors between April 24 (when the advisory was indexed in GitHub Advisory database) and patch deployment. Rotate all API keys and provider credentials stored in the LiteLLM database, as active exploitation was observed targeting credential tables. Implement network segmentation to limit LiteLLM proxy exposure.