In-the-wild exploitation of the LiteLLM SQL injection vulnerability (CVE-2026-42208) has been detected. This vulnerability stems from the proxy directly concatenating the API key value provided by the caller into database query statements during key validation, rather than utilizing parameterized queries or proper secure escaping. A remote, unauthenticated attacker can exploit this flaw by crafting a malicious Authorization header to execute arbitrary SQL commands without requiring any prior privileges. Successful exploitation allows the attacker to read and tamper with data within the proxy’s database, gain unauthorized access to the proxy’s internal privileges, and exfiltrate various hosted credentials and API keys, thereby achieving unauthorized access and privilege escalation. Proof-of-Concept (PoC) code and technical details regarding this vulnerability have now been publicly disclosed.