Critical SQL Injection Vulnerability in LiteLLM Exploited in-the-Wild (Campaign)
ID: 5fe9f105-76c7-5a77-bd4f-cea8f7332fe8
STIX ID: report--5fe9f105-76c7-5a77-bd4f-cea8f7332fe8
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-04-27
Date Updated: 2026-05-11
Author: [email protected] (Wiz Threat Research)
A critical SQL injection in LiteLLM's authentication processing allows attackers to inject SQL via the Authorization: Bearer header and directly access the PostgreSQL database; active exploitation has been observed with UNION-based payloads used to enumerate schema and exfiltrate sensitive tables (litellm_credentials, litellm_config, LiteLLM_VerificationToken), indicating targeted knowledge of the schema and credential storage.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.