LiteLLM CVE-2026-42208
Pre-authentication SQL injection in LiteLLM; KEV-listed 8 May 2026, exploited in 36 hours by UNC6780.
Last refreshed: 20 May 2026 · Appears in 1 active topic
CVE-2026-42208 was exploited in 36 hours; how many LiteLLM deployments still carry it?
Timeline for LiteLLM CVE-2026-42208
Mentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesLiteLLM SQL injection hits in 36 hours
Cybersecurity: Threats and DefencesWhat is CVE-2026-42208 in LiteLLM?
How quickly was LiteLLM CVE-2026-42208 exploited after being made public?
Am I affected by LiteLLM CVE-2026-42208 if I use it through BerriAI?
Background
CVE-2026-42208 is a pre-authentication SQL injection vulnerability in the LiteLLM open-source LLM proxy library. CISA added it to the Known Exploited Vulnerabilities catalogue on 8 May 2026. Google's Threat Intelligence Group confirmed that UNC6780 (TeamPCP) exploited the flaw within 36 hours of the KEV addition, using SANDCLOCK-stolen AWS keys and GitHub tokens to move from the open-source library into BerriAI's commercial infrastructure. The 36-hour exploitation window represents roughly an 85 per cent compression of the typical enterprise patch cycle of five to ten days.
The vulnerability's structural significance is its position in the AI application stack: LiteLLM proxies handle authentication tokens, API keys, and query content for every LLM request routed through it. A pre-authentication SQL injection means an attacker can access the proxy's database layer, and the credentials it stores, without first requiring valid LiteLLM credentials. This gives UNC6780 access to the AWS keys and GitHub tokens stored or processed by BerriAI's managed LiteLLM service.
CVE-2026-42208 follows the structural pattern of Log4Shell (CVE-2021-44228): a critical vulnerability in an invisible middleware library with a massive installed base and no centralised customer notification mechanism. Open-source proxy users have no vendor-pushed update PATH and must manually identify, assess, and remediate the exposure across their own deployments. The KEV addition creates federal remediation obligations but no practical mechanism for CISA to notify or enforce against the distributed open-source user base.