LiteLLM
Open-source gateway for routing AI model requests; CVE-2026-42208 (pre-authentication SQL injection) under active exploitation as of April 2026.
Last refreshed: 20 May 2026 · Appears in 1 active topic
LiteLLM was breached in 36 hours; how many enterprise AI stacks are still running vulnerable versions?
Timeline for LiteLLM
LiteLLM SQL injection hits in 36 hours
Cybersecurity: Threats and Defences- What is LiteLLM and why was it hacked?
- LiteLLM is an open-source software library that lets applications connect to AI models like ChatGPT or Claude. In May 2026 hackers exploited a SQL injection vulnerability (CVE-2026-42208) within 36 hours of it being flagged as critical by US authorities. The same group had already stolen Cisco's AI security source code.Source: GTIG
- How serious is the LiteLLM CVE-2026-42208 vulnerability?
- CVE-2026-42208 is a pre-authentication SQL injection in LiteLLM that CISA added to the Known Exploited Vulnerabilities catalogue on 8 May 2026. It was actively exploited within 36 hours by UNC6780, roughly 85 per cent faster than the typical enterprise five-to-ten-day patch cycle, giving most organisations no viable response window.Source: GTIG / CISA
- Should I stop using LiteLLM after the breach?
- GTIG's May 2026 report recommends treating LiteLLM and all AI-proxy libraries as first-class supply-chain targets requiring patching priority equivalent to perimeter firewalls. Organisations should verify they are running a patched version beyond CVE-2026-42208, audit AWS keys and GitHub tokens for signs of SANDCLOCK-style credential theft, and evaluate whether commercial AI gateway alternatives with dedicated security engineering are appropriate for their risk profile.Source: GTIG
Background
LiteLLM is an open-source proxy library that routes requests from enterprise applications to frontier large language model APIs including OpenAI, Anthropic, and others. It occupies the middleware layer between enterprise software and commercial AI services, managing authentication, rate limiting, and model routing without requiring application rewrites when switching between LLM providers. Its commercial parent is BerriAI. As of May 2026, LiteLLM was one of the most widely deployed open-source LLM proxies in enterprise AI stacks.
CVE-2026-42208 is a pre-authentication SQL injection vulnerability in LiteLLM added to CISA's Known Exploited Vulnerabilities catalogue on 8 May 2026. UNC6780 (TeamPCP) exploited the flaw within 36 hours of the KEV addition, compressing the typical enterprise patch window of five to ten days by roughly 85 per cent. The cluster used SANDCLOCK-stolen AWS keys and GitHub tokens to move from the open-source library into BerriAI's commercial infrastructure. GTIG named both LiteLLM and BerriAI as victims of the intrusion.
LiteLLM's position in enterprise AI architecture is structurally analogous to Log4j in Java application stacks: an invisible middleware dependency that becomes a catastrophic blast radius when a critical vulnerability emerges. Unlike commercial AI gateway vendors with dedicated security engineering, open-source proxies lack centralised customer notification, mandatory security review gates, or vendor-pushed update channels. The LiteLLM case establishes AI-proxy libraries as a distinct attack-surface category requiring the same vulnerability-management priority as perimeter firewalls.
