Listen to this Post
The vulnerability exists in LiteLLM proxy server versions 1.81.16 through 1.83.6. During proxy API key checks, a database query is constructed by concatenating the caller-supplied key value directly into the query text instead of using a parameterized query (prepared statement). An unauthenticated attacker can send a specially crafted `Authorization` header to any LLM API route (e.g., POST /chat/completions). The malformed header reaches the vulnerable code path through the proxy’s error-handling mechanism. Because the input is embedded into the SQL query string without sanitization, the attacker can inject arbitrary SQL commands. This leads to reading sensitive data from the proxy’s internal database (e.g., API keys, credentials, logs) and potentially modifying or deleting records. The attack requires no privileges and is exploitable remotely over the network. Successful exploitation compromises the proxy and all managed LLM credentials. The issue is fixed in version 1.83.7, where the query was refactored to use parameterized queries.
Platform: LiteLLM proxy
Version: 1.81.16-1.83.6
Vulnerability: SQL injection
Severity: Critical
date: 2026-05-08
Prediction: Already patched v1.83.7
What Undercode Say:
Check current LiteLLM version
litellm --version
Test for vulnerability using crafted Authorization header
curl -X POST https://target-proxy/chat/completions \
-H "Authorization: Bearer ' OR '1'='1" \
-H "Content-Type: application/json" \
-d '{"model":"gpt-3.5-turbo","messages":[{"role":"user","content":"test"}]}'
Monitor database query logs for anomalies
grep "SQL syntax" /var/log/litellm/proxy.log
Remediation: update to patched version
pip install --upgrade litellm==1.83.7
Exploit:
Attacker sends `Authorization: Bearer ‘ UNION SELECT username,password FROM api_keys–` in any authenticated endpoint. Error message or response timing reveals database contents. Modifications use ; UPDATE users SET role='admin' --.
Protection from this CVE:
Upgrade to LiteLLM 1.83.7 immediately. If impossible, apply WAF rules to block ', ", ;, `–` in Authorization headers. Enable query parameterization and disable verbose SQL error output.
Impact:
Full database compromise: theft of all stored API keys, credentials, and secrets. Unauthorized access to proxied LLM models. Potential lateral movement to cloud environments. Integrity loss via data modification/deletion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
