20MAY

LiteLLM SQL injection hits in 36 hours

3 min read

09:58UTC

UNC6780 exploited LiteLLM CVE-2026-42208 within 36 hours of the KEV addition, compressing the defender's patch window to roughly one-sixth of the typical enterprise cycle and pulling AWS keys and GitHub tokens out of the open-source LLM proxy.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC6780 breached LiteLLM 36 hours after its KEV addition, the same cluster that took Cisco AI Defense source.

UNC6780 exploited CVE-2026-42208, an SQL injection vulnerability in the open-source LiteLLM proxy library, within 36 hours of CISA adding the flaw to the KEV catalogue on Friday 8 May 2026, per Google's Threat Intelligence Group (GTIG) ¹ ². LiteLLM is an open-source proxy that sits between enterprise applications and frontier Large Language Models; its commercial parent, BerriAI, was named as a victim of the same intrusion. UNC6780 used SANDCLOCK-stolen AWS keys and GitHub tokens to operate inside both estates.

The 36-hour figure matters because the typical enterprise patch cycle for KEV-flagged vulnerabilities runs five to ten days. GTIG's assessment is that this window has been compressed by roughly 85 percent for the LiteLLM case, leaving most defenders without a credible response interval between detection and active intrusion. The 36-hour figure runs alongside the deadline-before-patch tension established by Palo Alto's PAN-OS captive-portal flaw two days earlier , where the first federal deadline preceded the vendor's first available fix.

UNC6780 is the same cluster GTIG named in the Cisco AI Defense source-code theft. The AI-security M&A market repriced by the $32 billion Google-Wiz close in March 2026 now has named breach incidents on both sides of its supply chain: the defender (Cisco AI Defense) and the proxy layer most often deployed in front of it (LiteLLM and BerriAI). Cloudflare AI Gateway sits in the same architectural slot as LiteLLM and has not been named as a victim. For chief information security officers buying AI-security tooling, the procurement question shifts from feature comparison to supply-chain hygiene of the LLM proxy itself.

Deep Analysis

In plain English

LiteLLM is a popular open-source piece of software that lets applications talk to AI services like ChatGPT. Hackers found a security hole in it and started breaking in within 36 hours of the vulnerability being publicly announced, far faster than most organisations can deploy a fix.

Deep Analysis

Root Causes

LiteLLM's SQL injection in CVE-2026-42208 reflects a category of vulnerability common in libraries that receive rapid community contributions without mandatory security review gates.

The AI infrastructure tooling layer, proxies, gateways, and orchestrators, emerged faster than the software-supply-chain security practices governing it: no Software Bill of Materials requirement, no mandatory security audit before release to production, and no vendor-notified update channel for operators running self-hosted instances.

UNC6780's SANDCLOCK tooling, already used in the Trivy and Cisco GitHub operations (event-00), provided pre-positioned AWS keys and GitHub tokens that gave the cluster elevated access inside BerriAI's commercial infrastructure beyond the open-source library itself. The same credential-theft toolchain served three distinct targets within weeks.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Log4Shell (CVE-2021-44228, December 2021), where an open-source logging library used in thousands of enterprise Java applications became a critical RCE vector within hours of public disclosure. The exploitation wave began within 12 hours of the CVE announcement; the blast radius was unknowable at first disclosure because Log4j was an invisible transitive dependency in most affected stacks. LiteLLM occupies the same invisible-middleware position for AI application stacks.

Counter-parallel: SolarWinds Orion was a closed-source commercial product with an identifiable install base and a vendor patch process; SolarWinds sent removal instructions directly to each affected customer within days of the December 2020 disclosure.

Open-source proxies like LiteLLM lack a centralised customer list, vendor-initiated update push, or mandatory disclosure to customers, so remediation depends entirely on individual operators monitoring CVE feeds and managing their own deployment pipelines.

Consensus view: The Atlantic Council's Cyber Statecraft Initiative and the SANS Institute's @Risk team assess that the 36-hour exploitation window signals a structural shift: LLM proxies and AI-gateway libraries are now a distinct attack surface category requiring the same vulnerability-management priority previously reserved for perimeter firewalls and VPN concentrators.

Counter-view: Rapid7's vulnerability research team notes that LiteLLM is an open-source library rather than a hardened commercial product; the comparison to enterprise-grade AI gateways like Cloudflare AI Gateway conflates security-posture maturity with architectural position. Commercial AI gateway vendors operate dedicated security engineering programmes and patch cycles closer to those of perimeter appliance vendors.

Key tension: The 36-hour window compresses the exploitation tempo established by PAN-OS CVE-2026-0300 , where CISA set a federal deadline before a patch existed. LiteLLM's case inverts the problem: the KEV addition implicitly signals a patch window, but open-source library users have no automatic update path and must manually pin, rebuild, and redeploy.

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.