FixVibe
Covered by FixVibecritical

ZXCVVAKATAWASEWASEGI0. LiteLLM mata ni SQL ni veivakabulabulataki ( ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 LiteLLM vakadewa 1.81.16 ki na 1.83.7 era sa vakaleqai tu ena dua na veivakacacani bibi ni SQL ena veivakadeitaki ni ki ni veivakadeitaki. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. E dua na leqa bibi ni SQL ni veisele (CVE-2026-42208) ena iwasewase ni proxy ni LiteLLM e rawa kina vei ira na dauvakacaca me ra vakawalena na veivakadeitaki se rawata na itukutuku ni itukutuku bibi ena kena vakayagataki na iwalewale ni veivakadeitaki ni ki ni ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. LiteLLM vakadewa 1.81.16 ki na 1.83.7 e tiko kina e dua na vakacaca bibi ni SQL ni veivakabulabulataki ena loma ni veivakadonui ni ki ni veivakadeitaki ni veivakadeitaki. Na vakayagataki ni rawaka e rawa kina vua e dua na dauvakacaca sega ni vakadeitaki me sivita na veivakadonui ni veitaqomaki se vakayacora na cakacaka ni itukutuku sega ni vakadonui ZXCVFIXVIBETOKEN1ZXCV. Na malumalumu oqo e lesi kina e dua na sikoa ni CVSS ni 9.8, e vakaraitaka na kena revurevu cecere ena ivakarau ni veika vuni kei na yalodina ZXCVFIXVIBETOKEN2ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. Na malumalumu e tiko baleta ni sega ni rawa ni vakasavasavataka se parameterize vakavinaka na mata ni LiteLLM na ki e vakarautaki ena ulutaga ni bera ni vakayagataki ena dua na taro ni itukutuku ni ZXCVFIXVIBETOKEN1ZXCV. Oqo e rawa kina na ivakaro ni SQL ca e vakacurumi ena ulutaga me vakayacori ena itukutuku ni backend ZXCVFIXVIBETOKEN2ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. ## Vakadewa e vakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. - **LiteLLM**: Vakadewa 1.81.16 me yacova (ia e sega ni okati kina) 1.83.7. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. ## Vakavinakataki ni simede ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 - **Vakavoui LiteLLM**: Vakatorocaketaka sara na pakete ni CVE-2026-42208 ki na vakadewa **1.83.7** se e muri me vakadodonutaki kina na cala ni injection ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI11 - **Vakadikeva na itukutuku ni itukutuku**: Railesuva na itukutuku ni curu ki na itukutuku me baleta na ivakarau ni taro sega ni daumaka se syntax sega ni namaki ka tekivu mai na veiqaravi ni mata CVE-2026-42208. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI12 ## Vakasama ni kena kunei ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI13 Na timi ni veitaqomaki e rawa ni kila na vakaraitaki ena: ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI14 - **Vakadewataki ni vakadewa**: Vakadikeva na vanua e vakaraitaka me baleta na vakadewataki ni LiteLLM ena loma ni vanua e vakaleqai (1.81.16 ki na 1.83.6) ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI15 - **Monitor ni ulutaga **: Vakadikeva na kerekere e curu mai ki na mata ni LiteLLM me baleta na ivakarau ni veisele ni SQL vakatabakidua ena loma ni vanua ni ivakatakilakila ni ZXCVFIXVIBETOKEN1ZXCV.

A critical SQL injection vulnerability (CVE-2026-42208) in LiteLLM's proxy component allows attackers to bypass authentication or access sensitive database information by exploiting the API key verification process.

CVE-2026-42208GHSA-r75f-5x8p-qvmcCWE-89

Impact

LiteLLM versions 1.81.16 through 1.83.7 contain a critical SQL injection vulnerability within the proxy's API key verification mechanism [S1]. Successful exploitation allows an unauthenticated attacker to bypass security controls or perform unauthorized database operations [S1]. This vulnerability is assigned a CVSS score of 9.8, reflecting its high impact on system confidentiality and integrity [S2].

Root Cause

The vulnerability exists because the LiteLLM proxy fails to properly sanitize or parameterize the API key provided in the Authorization header before using it in a database query [S1]. This allows malicious SQL commands embedded in the header to be executed by the backend database [S3].

Affected Versions

  • LiteLLM: Versions 1.81.16 up to (but not including) 1.83.7 [S1].

Concrete Fixes

  • Update LiteLLM: Immediately upgrade the litellm package to version 1.83.7 or later to patch the injection flaw [S1].
  • Audit Database Logs: Review database access logs for unusual query patterns or unexpected syntax originating from the proxy service [S1].

Detection Logic

Security teams can identify exposure by:

  • Version Scanning: Checking environment manifests for LiteLLM versions within the affected range (1.81.16 to 1.83.6) [S1].
  • Header Monitoring: Inspecting incoming requests to the LiteLLM proxy for SQL injection patterns specifically within the Authorization: Bearer token field [S1].