LiteLLM is an open-source proxy that sits between developer applications and large-language-model services. Tens of thousands of teams use it. On 2026-04-20 the project disclosed CVE-2026-42208, a Critical-9.3 SQL injection in the proxy’s API-key verification path. The vulnerability is triggered by a crafted Authorization header on any LLM route. No authentication is required.
On 2026-05-14, twenty-four days after disclosure, three IPs sprayed a working time-based blind SQLi payload at our LiteLLM-shaped sensors. The body is a textbook PostgreSQL oracle:
Authorization: Bearer ' OR (SELECT pg_sleep(4)) IS NOT NULL --The interesting part is not the payload. It is who fired it. All three IPs sit in the Ace Data Centers, AME Hosting, and Infraly LLC hosting consortium — three sibling US providers we have been tracking through other LLM-platform exploitation kits since March. Twenty-four addresses across the consortium have hit our sensors over seventy-five days. Their intent profile evolves through four sequential phases that line up cleanly with each new public disclosure: SSH brute-force in March, LLM-platform reconnaissance in late April, Ollama model-field IMDS-SSRF on 2026-05-12, and the SQLi spray today. Same operator, three sibling hosters, four exploitation classes.
This post documents the SQLi spray, the operator footprint, and the attribution chain that ties them together.
The new payload
On 2026-05-14 between 01:55 and 07:13 UTC, three IPs hit LiteLLM proxies with a six-event sequence. Each session was identical to the second.
GET / (probe alive)
GET /health (confirm proxy class)
GET /key/info (enumerate)
GET /v1/models (enumerate)
GET /model/info (enumerate)
POST /chat/completions
Authorization: Bearer ' OR (SELECT pg_sleep(4)) IS NOT NULL --
body: {"model":"x","messages":[{"role":"user","content":"1"}],"max_tokens":1}The exploit is in the Authorization header, not the body. A vulnerable proxy executes pg_sleep(4) inside its API-key verification query and responds approximately four seconds slower than a non-vulnerable proxy. The chat-completions body is a syntactically valid request that does not need to succeed. Its purpose is to reach the authentication path that contains the vulnerability.
| Time (UTC) | Source IP | ASN | User-Agent |
|---|---|---|---|
| 2026-05-14 01:55:48 | 45.45.237.65 | Infraly, LLC | Edge 124 on Windows 10 |
| 2026-05-14 04:42:50 | 45.45.237.238 | Infraly, LLC | Firefox 128 on Windows 10 |
| 2026-05-14 07:13:31 | 104.204.218.158 | AME Hosting LLC | Chrome 125 on Linux x86_64 |
The User-Agent rotates per IP. The payload, the body, the path order, and the request timing within the session are byte-identical. Three different /32s firing the same kit from two sibling hosting providers within a six-hour window.
The operator trail
The three IPs that fired the SQLi today are part of a much larger pattern. Across the seventy-five days since 2026-03-01, twenty-four distinct addresses on the three sibling US hosters Ace Data Centers II LLC, AME Hosting LLC, and Infraly LLC have appeared in this surface. The intent profile evolves through four sequential phases.
| Phase | Window | Activity | Representative IPs |
|---|---|---|---|
| 1 | 2026-03-01 to 04-23 | SSH credential brute-force | 76.164.199.128, 144.31.140.43, 144.31.11.68, 77.239.101.129, 77.239.103.200 |
| 2 | 2026-04-24 to 05-11 | Ollama and LiteLLM admin reconnaissance | 168.93.202.183, 168.93.202.186, 168.93.202.187, 144.31.186.157, 104.204.218.182 |
| 3 | 2026-05-12 | Ollama model field IMDS-SSRF abuse | 23.161.169.51, 104.204.218.173, 174.136.203.219 |
| 4 | 2026-05-14 | LiteLLM CVE-2026-42208 SQL injection blind oracle | 45.45.237.65, 45.45.237.238, 104.204.218.158 |
Phase transitions correspond to public disclosure of the relevant vulnerability classes. The April 24 pivot to LLM reconnaissance follows the LiteLLM disclosure cluster that began on April 3. The May 12 Ollama-SSRF activity follows public discussion of model-field injection in self-hosted LLM gateways. The May 14 SQL injection wave followed by 30 hours.
Attribution
The campaign-level attribution rests on four independent signals.
Shared hosting consortium. Twenty-four IPs distribute across only three providers, all US-based, all known to host scanning operations. IPs rotate freely across providers within phases.
Identical path enumeration. The May 12 IMDS-SSRF actors (23.161.169.51, 104.204.218.173, 174.136.203.219) and the May 14 SQLi actors (45.45.237.65, 45.45.237.238, 104.204.218.158) all opened with the same six-step path sequence: GET / then GET /health then GET /key/info then GET /v1/models then GET /model/info, followed by the payload-bearing POST /chat/completions. This sequence is not a generic LLM scanner template. It is specific to the operator’s tool.
Shared credential dictionary. A May 8 reconnaissance session from 144.31.186.157 fired a twenty-four-key master-key dictionary against /key/generate in the exact order sk-1234, sk-litellm, sk-12345, sk-123456, sk-admin, sk-test, sk-default, sk-proxy, sk-master, sk-litellm-master-key, sk-my-api-key, sk-key, sk-secret, sk-password, sk-llm, sk-api, sk-openai, sk-anthropic, sk-bedrock, sk-litellm-proxy, sk-dev, sk-prod. A separate IP, 164.52.192.134, ran the same dictionary in the same order on the same day. The order and contents are operator-curated, not a generic password list.
Burst-then-quiet temporal clustering. All three May 12 IMDS-SSRF actors fired within a four-hour window. All three May 14 SQLi actors fired within a six-hour window. Each phase consists of a coordinated burst across IPs, then quiet.
Individually each signal is suggestive. Together they describe a single operator running phased exploitation toolkits across pre-staged IP rotations.
Immediate Mitigation Steps
- Upgrade to LiteLLM version 1.83.11 or later immediately.
- Rotate the
LITELLM_MASTER_KEYif it matchessk-1234orsk-litellm-master-key. - Consider disabling the
/guardrails/test_custom_codeendpoint in production environments. - Implement WAF or intrusion-detection rules matching the patterns listed in the IOCs section.
IOCs
Active CVE-2026-42208 actors (2026-05-14):
| Source IP | ASN |
|---|---|
45[.]45[.]237[.]65 | Infraly, LLC |
45[.]45[.]237[.]238 | Infraly, LLC |
104[.]204[.]218[.]158 | AME Hosting LLC |
Wider operator footprint (75-day campaign, twenty-four IPs across three ASNs):
76[.]164[.]199[.]128 76[.]164[.]199[.]207 144[.]31[.]11[.]68
144[.]31[.]49[.]100 144[.]31[.]61[.]145 144[.]31[.]109[.]215
144[.]31[.]140[.]43 144[.]31[.]158[.]92 144[.]31[.]186[.]117
144[.]31[.]186[.]157 144[.]31[.]220[.]38 144[.]31[.]234[.]168
77[.]239[.]101[.]129 77[.]239[.]103[.]200 168[.]93[.]202[.]183
168[.]93[.]202[.]186 168[.]93[.]202[.]187 23[.]161[.]169[.]51
104[.]204[.]218[.]158 104[.]204[.]218[.]173 104[.]204[.]218[.]182
174[.]136[.]203[.]219 45[.]45[.]237[.]65 45[.]45[.]237[.]238HTTP signatures:
Authorizationheader matchingBearer\s+['"]?\s*(OR|AND)\s+, especially with PostgreSQL functions (pg_sleep,current_setting,current_database).Authorization: Bearer ' OR (SELECT pg_sleepas a literal substring match.- The six-step path sequence
GET /thenGET /healththenGET /key/infothenGET /v1/modelsthenGET /model/infothenPOST /chat/completionswithin a single sub-second session. - POST
/chat/completionsbody containing{"model":"x","messages":[{"role":"user","content":"1"}]}when paired with any non-standardAuthorizationheader value. - Inbound HTTP from any IP in the Ace Data Centers II LLC, AME Hosting LLC, or Infraly LLC ASNs against any LiteLLM proxy.
Provenance
CVE numbers, severities, affected ranges, and fix versions were cross-checked against the cited GitHub Advisory DB pages. Campaign attribution rests on the four signals enumerated above. ASN attribution came from passive enrichment. No subject IP was probed. No payload was executed.