Cyber Threat Brief — May 10 2026
⚠️ This report is AI-generated. Always validate findings.
1. LiteLLM Pre-Auth SQL Injection — CVE-2026-42208
TL;DR: CISA added CVE-2026-42208 (CVSS 9.8) to KEV on May 8. Sysdig documented targeted exploitation 36 hours after disclosure — attackers extracted LLM provider credentials (OpenAI, Anthropic, Bedrock) from the proxy database via schema-aware UNION injection.
What’s New:
- Pre-auth SQLi in Bearer token validation path —
Authorization: Bearervalue concatenated into SELECT without parameterization (versions 1.81.16 to 1.83.6) - Attacker used correct Prisma PascalCase table names (
"LiteLLM_VerificationToken") — not generic scanner behavior - Targeted three highest-value tables:
LiteLLM_VerificationToken(virtual API keys),litellm_credentials(upstream provider keys),litellm_config(env vars incl. master key and DB DSN) - Two-phase attack with IP rotation across same /22 AS200373 block, 21 minutes apart
- Federal deadline June 5; patched in v1.83.7
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
65.111.27[.]132 | Source IP | T1190 | WAF / reverse proxy logs | Block and hunt |
65.111.25[.]67 | Source IP | T1190 | WAF / reverse proxy logs | Block and hunt |
Python/3.12 aiohttp/3.9.1 | User-Agent | T1190 | WAF / web server logs | Alert on LiteLLM endpoints |
Authorization: Bearer sk-litellm' | Injection marker | T1190 | Web server access logs | Hunt single-quote in Bearer tokens |
UNION SELECT in Authorization header | SQLi payload | T1190 | WAF / web server logs | Block SQL keywords in auth headers |
POST /chat/completions with empty/75B body | Recon pattern | T1190 | Reverse proxy logs | Correlate with above indicators |
| LiteLLM v1.81.16–1.83.6 | Vulnerable versions | T1190 | Software inventory | Patch to 1.83.7+ immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No LiteLLM-specific detection; need custom rule for SQLi patterns in Authorization headers on /chat/completions |
| Elastic | None | No coverage; custom rule needed for Bearer token injection patterns |
| Sigma | None | No rule; write detection for single-quote + SQL keywords in HTTP Authorization headers |
Sources: Sysdig TRT Analysis, CISA KEV, Bishop Fox Advisory, BleepingComputer
Status Updates
- CVE-2026-43284/43500 — Dirty Frag (Linux Kernel): Microsoft Defender published six detection signatures (Exploit:Linux/DirtyFrag.A/B, Trojan variants). Defender for Cloud alert “Potential exploitation of dirtyfrag vulnerability detected” now live. Kernel patches released May 8 for CVE-2026-43284; CVE-2026-43500 patches still pending for some distros. Original brief.
- CVE-2026-0300 — PAN-OS User-ID Portal (Palo Alto): Federal deadline passed May 9 with NO vendor patch available. First patches expected May 13. CL-STA-1132 state-sponsored exploitation ongoing. Threat Prevention signature 510019 is only mitigation. Original brief.
- CVE-2026-6973 — Ivanti EPMM: Federal deadline TODAY May 10. Chained with CVE-2026-1340 for unauthenticated admin RCE. Still no public PoC or vendor IOCs. Original brief.
- CVE-2026-32202 — Windows Shell NTLM Coercion (APT28): Federal deadline May 12 in 2 days. Zero-click LNK-based NTLM hash theft targeting Ukraine/EU. Block outbound SMB (TCP 445) at perimeter. Original brief.