Concept

LiteLLM CVE-2026-42208

Pre-authentication SQL injection in LiteLLM; KEV-listed 8 May 2026, exploited in 36 hours by UNC6780.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

CVE-2026-42208 was exploited in 36 hours; how many LiteLLM deployments still carry it?

Timeline for LiteLLM CVE-2026-42208

#48 May

LiteLLM SQL injection hits in 36 hours

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2026-42208 in LiteLLM?: CVE-2026-42208 is a pre-authentication SQL injection flaw in the LiteLLM open-source AI proxy library. CISA added it to the Known Exploited Vulnerabilities list on 8 May 2026. The UNC6780 threat cluster exploited it within 36 hours, gaining access to stored credentials and moving into BerriAI's commercial infrastructure.Source: GTIG / CISA
How quickly was LiteLLM CVE-2026-42208 exploited after being made public?: UNC6780 exploited CVE-2026-42208 within 36 hours of CISA adding it to the KEV catalogue on 8 May 2026. This is roughly 85 per cent faster than the typical enterprise patch window of five to ten days, leaving most organisations no realistic time to deploy a fix before exploitation.Source: GTIG
Am I affected by LiteLLM CVE-2026-42208 if I use it through BerriAI?: BerriAI was named as a victim of the same UNC6780 intrusion via CVE-2026-42208. If you use BerriAI's managed LiteLLM service, AWS keys, GitHub tokens, or API keys stored in that environment may have been accessed. BerriAI had not issued a scope assessment at time of reporting.Source: GTIG

Background

CVE-2026-42208 is a pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM proxy library. CISA added it to the Known Exploited Vulnerabilities catalogue on 8 May 2026. Google's Threat Intelligence Group confirmed that UNC6780 (TeamPCP) exploited the flaw within 36 hours of the KEV addition, using SANDCLOCK-stolen AWS keys and GitHub tokens to move from the open-source library into BerriAI's commercial infrastructure. The 36-hour exploitation window represents roughly an 85 per cent compression of the typical enterprise patch cycle of five to ten days.

The vulnerability's structural significance is its position in the AI application stack: LiteLLM proxies handle authentication tokens, API keys, and query content for every LLM request routed through it. A pre-authentication SQL injection means an attacker can access the proxy's database layer, and the credentials it stores, without first requiring valid LiteLLM credentials. This gives UNC6780 access to the AWS keys and GitHub tokens stored or processed by BerriAI's managed LiteLLM service.

CVE-2026-42208 follows the structural pattern of Log4Shell (CVE-2021-44228): a critical vulnerability in an invisible middleware library with a massive installed base and no centralised customer notification mechanism. Open-source proxy users have no vendor-pushed update PATH and must manually identify, assess, and remediate the exposure across their own deployments. The KEV addition creates federal remediation obligations but no practical mechanism for CISA to notify or enforce against the distributed open-source user base.

Source Material

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access CISA Known Exploited Vulnerabilities Catalog

How the World Sees Them

United States

CISA's KEV addition creates federal remediation obligations; open-source library deployments lack a centralised update mechanism for CISA to enforce against.

European Union

CRA Article 14 will require manufacturers shipping products with LiteLLM to report exploited vulnerabilities to ENISA within 24 hours from September 2026; CVE-2026-42208 is a dry run for that obligation.

Enterprise CISO

The 36-hour window from KEV addition to exploitation collapses the assumed remediation interval; AI-proxy CVEs require immediate response protocols equivalent to those for perimeter appliances.