
LiteLLM
Open-source gateway for routing AI model requests; CVE-2026-42208 (pre-authentication SQL injection) under active exploitation as of April 2026.
Last refreshed: 20 May 2026 · Appears in 1 active topic
LiteLLM was breached in 36 hours; how many enterprise AI stacks are still running vulnerable versions?
Timeline for LiteLLM
Mentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesLiteLLM SQL injection hits in 36 hours
Cybersecurity: Threats and DefencesWhat is LiteLLM and why was it hacked?
How serious is the LiteLLM CVE-2026-42208 vulnerability?
Should I stop using LiteLLM after the breach?
Background
LiteLLM is an open-source proxy library that routes requests from enterprise applications to frontier large language model APIs including OpenAI, Anthropic, and others. It occupies the middleware layer between enterprise software and commercial AI services, managing authentication, rate limiting, and model routing without requiring application rewrites when switching between LLM providers. Its commercial parent is BerriAI. As of May 2026, LiteLLM was one of the most widely deployed open-source LLM proxies in enterprise AI stacks.
CVE-2026-42208 is a pre-authentication SQL injection vulnerability in LiteLLM added to CISA's Known Exploited Vulnerabilities catalogue on 8 May 2026. UNC6780 (TeamPCP) exploited the flaw within 36 hours of the KEV addition, compressing the typical enterprise patch window of five to ten days by roughly 85 per cent. The cluster used SANDCLOCK-stolen AWS keys and GitHub tokens to move from the open-source library into BerriAI's commercial infrastructure. GTIG named both LiteLLM and BerriAI as victims of the intrusion.
LiteLLM's position in enterprise AI architecture is structurally analogous to Log4j in Java application stacks: an invisible middleware dependency that becomes a catastrophic blast radius when a critical vulnerability emerges. Unlike commercial AI gateway vendors with dedicated security engineering, open-source proxies lack centralised customer notification, mandatory security review gates, or vendor-pushed update channels. The LiteLLM case establishes AI-proxy libraries as a distinct attack-surface category requiring the same vulnerability-management priority as perimeter firewalls.