CVE-2026-42208
critical
KEV
CVSS v3
9.8
CVSS v2
—
VIR risk
10.0
Description
LiteLLM has SQL Injection in Proxy API key verification
CISA KEV
- Vendor
- BerriAI
- Product
- LiteLLM
- Due date
- 2026-05-11
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc ; https://nvd.nist.gov/vuln/detail/CVE-2026-42208
Vendor advisory: security-advisories@github.com — https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc
Vendor advisory: security-advisories@github.com — https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
Exploits
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| litellm | litellm | {"startIncluding":"1.81.16","endExcluding":"1.83.7"} | 1.83.7 |
References
- https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
- https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42208
- https://nvd.nist.gov/vuln/detail/CVE-2026-42208
- https://github.com/BerriAI/litellm
- https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc ; https://nvd.nist.gov/vuln/detail/CVE-2026-42208
- https://github.com/advisories/GHSA-r75f-5x8p-qvmc
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.