# Critical LiteLLM Pre-Authentication SQL Injection Vulnerability Under Active Exploitation


A critical pre-authentication SQL injection (SQLi) vulnerability in LiteLLM, the popular open-source LLM proxy and gateway library, is being actively exploited by threat actors in the wild. The flaw allows unauthenticated attackers to execute arbitrary SQL queries against backend databases, potentially leading to unauthorized data access, credential theft, and system compromise.


## The Threat


Security researchers have confirmed that the vulnerability affects LiteLLM's authentication bypass mechanism, permitting attackers to inject malicious SQL payloads before the application's authentication layer can validate requests. The pre-authentication nature of this flaw means no credentials or valid API keys are required to trigger the exploit.


Early indicators suggest:

  • Active exploitation detected in multiple production environments
  • No authentication required to trigger the vulnerability
  • Direct database access possible through crafted SQL injection payloads
  • Potential for lateral movement to other connected systems

    • Security teams monitoring threat intelligence feeds have already documented proof-of-concept (PoC) exploits circulating on underground forums and GitHub repositories, significantly accelerating the attack timeline.


    ## Background and Context


    LiteLLM has become a critical infrastructure component for organizations standardizing access to multiple large language model providers. By acting as a unified proxy, it simplifies API management across OpenAI, Anthropic, Azure, Google, and other platforms. Its adoption spans fintech, healthcare, e-commerce, and enterprise SaaS companies.


    Why this matters:

  • LiteLLM is typically deployed in trusted network positions with direct database connectivity
  • Organizations often configure it with elevated database credentials for operational flexibility
  • The library frequently stores API keys, user credentials, and sensitive configuration data in connected databases
  • Compromising LiteLLM can expose the entire downstream LLM ecosystem of an organization

    • The pre-authentication aspect significantly amplifies risk. Traditional SQL injection vulnerabilities require some level of authentication or valid input validation. This flaw bypasses those controls entirely, making the attack surface extraordinarily broad.


    ## Technical Details


    ### How the Vulnerability Works


    The SQLi flaw exists in LiteLLM's request handling logic, specifically in the authentication validation endpoint. When processing incoming API requests, the library constructs database queries by directly concatenating user-supplied input without proper parameterization or input sanitization.


    Attack vector flow:


    Attacker Request
    ↓
Authentication Endpoint (No Auth Check Yet)
    ↓
Unsanitized User Input → SQL Query Construction
    ↓
Database Executes Malicious Payload
    ↓
Data Exfiltration / System Compromise

    ### Typical Exploitation


    Attackers craft requests with SQL injection payloads in standard API parameters. A simplified example of what an attacker might attempt:


    POST /api/auth/validate
Content-Type: application/json

{
  "user_id": "admin' OR '1'='1",
  "api_key": "' UNION SELECT password FROM users--"
}

    The application, failing to sanitize these inputs, constructs a malicious query such as:


    SELECT * FROM users WHERE user_id='admin' OR '1'='1' AND api_key='...'

    This allows attackers to:

  • Bypass authentication entirely (the OR '1'='1' clause always evaluates to true)
  • Extract sensitive data via UNION-based injection
  • Modify database records in some configurations
  • Execute stored procedures depending on database permissions

    • ### Affected Versions


    The vulnerability affects LiteLLM versions prior to [patched version]. Organizations should immediately check their deployment versions against vendor security advisories.


    ## Real-World Impact


    Organizations running vulnerable LiteLLM instances face serious consequences:


    | Risk Category | Potential Impact |

    |---|---|

    | Data Breach | Unauthorized access to user credentials, API keys, customer data stored in LiteLLM databases |

    | API Key Theft | Stolen credentials for OpenAI, Anthropic, Azure, and other integrated services |

    | Financial Impact | Unauthorized API consumption, credential-based attacks on downstream services |

    | Compliance Violations | Breached customer/patient data can trigger GDPR, HIPAA, or other regulatory fines |

    | Supply Chain Risk | Compromised LiteLLM instances can become pivots for broader infrastructure attacks |


    Early reports suggest attackers are harvesting API keys and credentials from compromised LiteLLM databases, then using those credentials to:

  • Make unauthorized API calls (generating massive bills)
  • Access proprietary AI models and fine-tuning data
  • Pivot to connected internal systems

    • ## Implications for Organizations


    ### Immediate Risks


    Organizations running LiteLLM in production environments should treat this as a critical severity issue requiring immediate action:


    1. Exposed API Keys — All API keys stored in LiteLLM's database are potentially compromised

    2. Lateral Movement — Attackers gaining database access may exploit other systems on the network

    3. Compliance Breaches — Unpatched critical vulnerabilities can violate security compliance requirements

    4. Reputational Damage — Public disclosure of breaches tied to unpatched vulnerabilities


    ### Affected Organizations


    Particularly vulnerable are organizations that:

  • Deploy LiteLLM with internet-facing endpoints
  • Run older versions without security monitoring
  • Store sensitive data in LiteLLM-connected databases
  • Lack robust API key rotation procedures
  • Have limited network segmentation between LiteLLM and backend systems

    • ## Recommendations


    ### Immediate Actions (24-48 Hours)


    1. Inventory Deployments — Identify all LiteLLM instances in production and development environments

    2. Check Version Numbers — Verify which versions are running using litellm --version or checking deployment manifests

    3. Isolate Affected Systems — Move vulnerable LiteLLM instances behind additional authentication layers if patching is delayed

    4. Rotate All API Keys — Regenerate API keys for all integrated LLM services (OpenAI, Anthropic, etc.)

    5. Audit Database Logs — Check database query logs for suspicious SQL patterns or unauthorized queries


    ### Short-Term Actions (1-2 Weeks)


  • Apply Security Patches — Upgrade to the latest patched LiteLLM version from official repositories
  • Review Database Permissions — Reduce LiteLLM database account privileges to minimum necessary (read-only where applicable)
  • Enable Web Application Firewall (WAF) — Deploy WAF rules to block common SQL injection patterns
  • Implement Input Validation — Ensure all external inputs are properly validated and sanitized
  • Monitor API Consumption — Watch for unusual API usage patterns indicating key theft

    • ### Long-Term Strategy


  • Implement Database Activity Monitoring — Deploy solutions that detect anomalous database queries
  • Network Segmentation — Isolate LiteLLM instances from critical systems
  • Regular Security Audits — Conduct periodic code reviews and penetration testing
  • Dependency Management — Establish processes for rapid patching of critical vulnerabilities
  • API Key Rotation Schedule — Implement regular API key rotation every 90 days
  • Security Training — Educate teams on proper credential handling and secure API gateway configuration

    • ## Monitoring and Detection


    Security teams should monitor for exploitation attempts:


    Log Patterns to Watch:
- Requests with SQL keywords (UNION, SELECT, DROP, etc.) in parameters
- Unusual database query patterns in audit logs
- Authentication failures followed by successful queries
- Requests from unexpected geographic locations
- Bulk data extraction queries

    ## Conclusion


    The LiteLLM pre-authentication SQL injection vulnerability represents a serious threat to organizations relying on this widely-deployed library. The combination of pre-auth access, active exploitation, and the sensitive nature of data typically stored in LiteLLM databases makes this a critical priority.


    Organizations must act immediately to inventory vulnerable deployments, rotate credentials, and apply security patches. Failure to respond quickly could result in credential theft, unauthorized API consumption, and broader infrastructure compromise.


    For the latest updates, monitor the [LiteLLM GitHub security advisories](https://github.com/BerriAI/litellm) and your security vendor's threat intelligence feeds.