FixVibe
Covered by FixVibecritical

ZXCVVAKATAWASEWASEGI0. LiteLLM SQL Inyección en Proxy Verificación Clave (ZXCV) ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 LiteLLM vakadewa 1.81.16 ki na 1.83.6 era sa vakaleqai tu ena dua na veivakacacani bibi ni SQL ena veivakadeitaki ni ki ni Proxy (ZXCVVIXVITOKEN0ZXCV). Vakadodonutaki ena 1.83.7. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. LiteLLM vakadewa 1.81.16 ki na 1.83.6 e tiko kina e dua na leqa bibi ni SQL ni veivakacacani ena veivakadeitaki ni ki ni veivakadeitaki. Na cala oqo e rawa kina vei ira na dauvakacaca sega ni vakadeitaki me ra bypass na lewa ni veivakadeitaki se rawata na itukutuku e tiko e ra. Na leqa e sa wali ena vakadewa 1.83.7. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. LiteLLM e tiko kina e dua na malumalumu bibi ni SQL ni veisele ena kena ivakarau ni veivakadeitaki ni ki ni Proxy. Na cala oqo e rawa kina vei ira na dauvakacaca sega ni vakadeitaki me ra vakawalena na jeke ni veitaqomaki ka rawa ni ra rawata se exfiltrate na itukutuku mai na itukutuku ni itukutuku e tiko e ra. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. Na leqa e vakatakilakilataki me vaka na ZXCVFIXVIBETOKEN3ZXCV (SQL ni veivakabulabulataki) CVE-2026-42208. E tiko ena ZXCVFIXVIBETOKEN4ZXCV ki ni veivakadeitaki ni vakasama ni LiteLLM Proxy iwasewase ni API. Na malumalumu e vu mai na sega ni rauta na kena vakasavasavataki na veika e vakayagataki ena taro ni itukutuku. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. ## Vakadewa e vakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. LiteLLM vakadewa ** 1.81.16 ** ki na ** 1.83.6 ** era sa vakaleqai ena malumalumu oqo. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. ## Vakavinakataki ni simede ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 Vakavoutaka na LiteLLM ki na vakadewa ** 1.83.7 ** se cecere cake me vakalailaitaka na malumalumu oqo. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI11 ## Na sala e vakatovolei kina ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI12 ZXCVFIXVIBETOKEN5ZXCV ena gauna oqo e okati kina oqo ena ZXCVFIXVIBETOKEN6ZXCV repo vakadidike. Na jeke e wilika na faile ni vakararavi ni maroroi vakadonui ga, oka kina na CVE-2026-42208, API, ZXCVFIXVIBETOKEN2ZXCV, kei na ZXCVFIXVIBETOKEN3ZXCV. E vakatakilakilataka na pini ni LiteLLM se na veivakataotaki ni vakadewa ka veiganiti kei na veivakacacani ni ZXCVFIXVIBETOKEN4ZXCV, qai ripotetaka na faile ni vakararavi, naba ni laini, IDs ni veivakasalataki, veivakacacani ni veivakacacani, kei na vakadewa tudei. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI13 Oqo e dua na jeke ni repo tudei, wili-ga. E sega ni vakayacora na kode ni kasitama ka sega ni vakauta na payloads ni vakayagataki.

LiteLLM versions 1.81.16 through 1.83.6 contain a critical SQL injection vulnerability in the Proxy API key verification logic. This flaw allows unauthenticated attackers to bypass authentication controls or access the underlying database. The issue is resolved in version 1.83.7.

CVE-2026-42208GHSA-r75f-5x8p-qvmcCWE-89

Impact

LiteLLM contains a critical SQL injection vulnerability in its Proxy API key verification process [S1]. This flaw allows unauthenticated attackers to bypass security checks and potentially access or exfiltrate data from the underlying database [S1][S3].

Root Cause

The issue is identified as CWE-89 (SQL Injection) [S1]. It is located in the API key verification logic of the LiteLLM Proxy component [S2]. The vulnerability stems from insufficient sanitization of input used in database queries [S1].

Affected Versions

LiteLLM versions 1.81.16 through 1.83.6 are affected by this vulnerability [S1].

Concrete Fixes

Update LiteLLM to version 1.83.7 or higher to mitigate this vulnerability [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including requirements.txt, pyproject.toml, poetry.lock, and Pipfile.lock. It flags LiteLLM pins or version constraints that match the affected range >=1.81.16 <1.83.7, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.