29MAY

LiteLLM SQL injection hits in 36 hours

3 min read

14:17UTC

UNC6780 exploited LiteLLM CVE-2026-42208 within 36 hours of the KEV addition, compressing the defender's patch window to roughly one-sixth of the typical enterprise cycle and pulling AWS keys and GitHub tokens out of the open-source LLM proxy.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

UNC6780 breached LiteLLM 36 hours after its KEV addition, the same cluster that took Cisco AI Defense source.

UNC6780 exploited CVE-2026-42208, an SQL injection vulnerability in the open-source LiteLLM proxy library, within 36 hours of CISA adding the flaw to the KEV catalogue on Friday 8 May 2026, per Google's Threat Intelligence Group (GTIG) ¹ ². LiteLLM is an open-source proxy that sits between enterprise applications and frontier Large Language Models; its commercial parent, BerriAI, was named as a victim of the same intrusion. UNC6780 used SANDCLOCK-stolen AWS keys and GitHub tokens to operate inside both estates.

The 36-hour figure matters because the typical enterprise patch cycle for KEV-flagged vulnerabilities runs five to ten days. GTIG's assessment is that this window has been compressed by roughly 85 percent for the LiteLLM case, leaving most defenders without a credible response interval between detection and active intrusion. The 36-hour figure runs alongside the deadline-before-patch tension established by Palo Alto's PAN-OS captive-portal flaw two days earlier , where the first federal deadline preceded the vendor's first available fix.

UNC6780 is the same cluster GTIG named in the Cisco AI Defense source-code theft. The AI-security M&A market repriced by the $32 billion Google-Wiz close in March 2026 now has named breach incidents on both sides of its supply chain: the defender (Cisco AI Defense) and the proxy layer most often deployed in front of it (LiteLLM and BerriAI). Cloudflare AI Gateway sits in the same architectural slot as LiteLLM and has not been named as a victim. For chief information security officers buying AI-security tooling, the procurement question shifts from feature comparison to supply-chain hygiene of the LLM proxy itself.

Deep Analysis

In plain English

LiteLLM is a popular open-source piece of software that lets applications talk to AI services like ChatGPT. Hackers found a security hole in it and started breaking in within 36 hours of the vulnerability being publicly announced, far faster than most organisations can deploy a fix.

Deep Analysis

Root Causes

LiteLLM's SQL injection in CVE-2026-42208 reflects a category of vulnerability common in libraries that receive rapid community contributions without mandatory security review gates.

The AI infrastructure tooling layer, proxies, gateways, and orchestrators, emerged faster than the software-supply-chain security practices governing it: no Software Bill of Materials requirement, no mandatory security audit before release to production, and no vendor-notified update channel for operators running self-hosted instances.

UNC6780's SANDCLOCK tooling, already used in the Trivy and Cisco GitHub operations (event-00), provided pre-positioned AWS keys and GitHub tokens that gave the cluster elevated access inside BerriAI's commercial infrastructure beyond the open-source library itself. The same credential-theft toolchain served three distinct targets within weeks.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Log4Shell (CVE-2021-44228, December 2021), where an open-source logging library used in thousands of enterprise Java applications became a critical RCE vector within hours of public disclosure. The exploitation wave began within 12 hours of the CVE announcement; the blast radius was unknowable at first disclosure because Log4j was an invisible transitive dependency in most affected stacks. LiteLLM occupies the same invisible-middleware position for AI application stacks.

Counter-parallel: SolarWinds Orion was a closed-source commercial product with an identifiable install base and a vendor patch process; SolarWinds sent removal instructions directly to each affected customer within days of the December 2020 disclosure.

Open-source proxies like LiteLLM lack a centralised customer list, vendor-initiated update push, or mandatory disclosure to customers, so remediation depends entirely on individual operators monitoring CVE feeds and managing their own deployment pipelines.

Consensus view: The Atlantic Council's Cyber Statecraft Initiative and the SANS Institute's @Risk team assess that the 36-hour exploitation window signals a structural shift: LLM proxies and AI-gateway libraries are now a distinct attack surface category requiring the same vulnerability-management priority previously reserved for perimeter firewalls and VPN concentrators.

Counter-view: Rapid7's vulnerability research team notes that LiteLLM is an open-source library rather than a hardened commercial product; the comparison to enterprise-grade AI gateways like Cloudflare AI Gateway conflates security-posture maturity with architectural position. Commercial AI gateway vendors operate dedicated security engineering programmes and patch cycles closer to those of perimeter appliance vendors.

Key tension: The 36-hour window compresses the exploitation tempo established by PAN-OS CVE-2026-0300 , where CISA set a federal deadline before a patch existed. LiteLLM's case inverts the problem: the KEV addition implicitly signals a patch window, but open-source library users have no automatic update path and must manually pin, rebuild, and redeploy.

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

LiteLLM SQL injection hits in 36 hours

An AI-proxy library sitting between enterprises and frontier models was breached at machine speed. The cluster that took Cisco's defensive source code also runs the offensive side of the same AI-security market.

Led to

AI orchestration flaw joins CISA's KEV

Langflow's KEV listing follows LiteLLM being exploited within 36 hours of its own KEV addition, establishing a pattern of the AI orchestration layer as a confirmed active attack class.

Occurred 21 May 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.