FixVibe
Covered by FixVibecritical

. LiteLLM SQL Injektión í umboði ZXCVFIXVIBESEND ZXCVFIXVIBESEG1. LiteLLM útgávurnar 1.81.16 til 1.83.6 eru viðbreknar fyri kritiskari SQL-innspræning í Proxy lyklaváttan (CVE-2026-42208). Fixed in 1.83.7. ZXCVFIXVIBESEND ZXCVFIXVIBESEG2. LiteLLM útgávurnar 1.81.16 til og við 1.83.6 innihalda ein kritiskan SQL-injektiónssárbarleika í Proxy CVE-2026-42208 lyklaváttanarlogikkinum. Hesin feilurin ger, at óváttaðir álopsmenn kunnu umganga góðkenningarstýringar ella fáa atgongd til undirliggjandi dátugrunnin. The issue is resolved in version 1.83.7. ZXCVFIXVIBESEND ZXCVFIXVIBESEG3. ## Ávirkan ZXCVFIXVIBESEND ZXCVFIXVIBESEG4. LiteLLM inniheldur ein kritiskan SQL-injektiónssárbarleika í síni Proxy lyklaváttanartilgongd. Hesin feilurin ger, at óváttaðir álopsmenn kunnu umganga trygdarkanningar og møguliga fáa atgongd til ella útfiltrera dátur úr undirliggjandi dátugrunninum APIZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG5. ## Rótorsøk ZXCVFIXVIBESEND ZXCVFIXVIBESEG6. Málið er eyðmerkt sum ZXCVFIXVIBETOKEN3ZXCV (SQL Injektión) CVE-2026-42208. Tað er staðsett í lyklaváttanarlogikkinum hjá LiteLLM Proxy-partinum API. Sárbarleikin stavar frá ófullfíggjaðari sanitering av inntøkum, sum verða nýtt í dátugrunnsfyrispurningum ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIXVIBESEG7. ## Affected Versions ZXCVFIXVIBESEND ZXCVFIXVIBESEG8. LiteLLM útgávur **1.81.16** til og við **1.83.6** eru ávirkaðar av hesum sárbarleikanum. ZXCVFIXVIBESEND ZXCVFIXVIBESEG9. ## Betongviðgerðir ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 Dagfør LiteLLM til útgávu **1.83.7** ella hægri fyri at minka um hendan sárbarleikan. ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## Hvussu CVE-2026-42208 roynir fyri tí ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 ZXCVFIXVIBETOKEN5ZXCV inniheldur nú hetta í ZXCVFIXVIBETOKEN6ZXCV repo-skanningum. Ávísingin lesur bert heimildargoymsluháðarfílur, herundir CVE-2026-42208, API, ZXCVFIXVIBETOKEN2ZXCV og ZXCVFIXVIBETOKEN3ZXCV. Tað flaggar LiteLLM pinnar ella útgávuavmarkingar, sum passa til ávirkaða økið ZXCVFIXVIBETOKEN4ZXCV, og meldar síðani avhengi fíluna, linjunummarið, ráðgevara-ID'ini, ávirkaða økið og fastu útgávuna. ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 This is a static, read-only repo check. Tað útførir ikki kundakotu og sendir ikki exploit nyttulastir.

LiteLLM versions 1.81.16 through 1.83.6 contain a critical SQL injection vulnerability in the Proxy API key verification logic. This flaw allows unauthenticated attackers to bypass authentication controls or access the underlying database. The issue is resolved in version 1.83.7.

CVE-2026-42208GHSA-r75f-5x8p-qvmcCWE-89

Impact

LiteLLM contains a critical SQL injection vulnerability in its Proxy API key verification process [S1]. This flaw allows unauthenticated attackers to bypass security checks and potentially access or exfiltrate data from the underlying database [S1][S3].

Root Cause

The issue is identified as CWE-89 (SQL Injection) [S1]. It is located in the API key verification logic of the LiteLLM Proxy component [S2]. The vulnerability stems from insufficient sanitization of input used in database queries [S1].

Affected Versions

LiteLLM versions 1.81.16 through 1.83.6 are affected by this vulnerability [S1].

Concrete Fixes

Update LiteLLM to version 1.83.7 or higher to mitigate this vulnerability [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including requirements.txt, pyproject.toml, poetry.lock, and Pipfile.lock. It flags LiteLLM pins or version constraints that match the affected range >=1.81.16 <1.83.7, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.