Technical description
LiteLLM, a widely-used AI Gateway proxy for calling LLM APIs, contains a critical SQL injection vulnerability (CVSS 9.8) in its API key validation logic. The vulnerability affects versions 1.81.16 through 1.83.6. Attackers can exploit the flaw to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the credentials it manages.
Attack vector
An unauthenticated attacker can supply a crafted API key that is mixed into a SQL query instead of being parameterized. This allows arbitrary SQL commands to be executed against the proxy's database, exposing stored credentials, API keys, and configuration data for downstream LLM services.
Affected systems
LiteLLM proxy deployments versions 1.81.16 to 1.83.6. LiteLLM is commonly used in enterprise environments to standardize and secure access to multiple LLM providers (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI) and is a critical component in many agentic AI architectures.
Mitigation
Upgrade to LiteLLM version 1.83.7-stable or later immediately. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog with a federal due date of May 11, 2026, indicating confirmed active exploitation. Organizations unable to patch immediately should isolate LiteLLM proxies from untrusted networks and rotate all managed credentials.