FixVibe
Covered by FixVibecritical

ZXCVFIKVIBESEG0. LiteLLM SQL huhu 'i he Fakafofonga API Fakamo'oni'i 'o e Tefito (CVE-2026-42208) ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. 'Oku faingata'a'ia 'a e ngaahi liliu 'o e LiteLLM 1.81.16 ki he 1.83.6 ki ha huhu SQL mahu'inga 'i he Fakafofonga API fakamo'oni'i 'o e kī (CVE-2026-42208). Fakaleleiʻi ʻi he 1.83.7. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. LiteLLM ngaahi liliu 1.81.16 'o a'u ki he 1.83.6 'oku 'i ai ha vaivai'anga mahu'inga 'o e huhu SQL 'i he Fakafofonga CVE-2026-42208 fakamo'oni'i 'o e kī 'o e logic. 'Oku faka'ata 'e he hala ko 'eni 'a e kau 'ohofi ta'efakamo'oni'i ke nau fakalaka 'i he ngaahi pule fakamo'oni pe hū ki he database 'i lalo. 'Oku fakalelei'i 'a e 'isiu 'i he version 1.83.7. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'Oku 'i he LiteLLM ha vaivai'anga mahu'inga 'o e huhu SQL 'i hono Fakafofonga ZXCVFIXVIBETOKEN3ZXCV founga fakamo'oni'i 'o e kī CVE-2026-42208. 'Oku faka'ata 'e he hala ko 'eni 'a e kau 'ohofi ta'efakamo'oni'i ke nau fakalaka 'i he ngaahi sivi malu'i pea 'e malava ke nau ma'u pe exfiltrate 'a e fakamatala mei he fakamatala 'i lalo APIZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'Oku faka'ilonga'i 'a e 'isiu ko e ZXCVFIXVIBETOKEN3ZXCV (Tui SQL) CVE-2026-42208. 'Oku tu'u ia 'i he ZXCVFIXVIBETOKEN4ZXCV fakamo'oni'i 'o e kī 'o e konga 'o e LiteLLM Fakafofonga API. 'Oku tupu 'a e vaivai mei he 'ikai fe'unga 'a e sanitization 'o e input 'oku faka'aonga'i 'i he ngaahi fehu'i 'o e fakamatala ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Ngaahi Fakakaukau kuo Uesia ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 'Oku uesia 'a e ngaahi liliu 'o e LiteLLM **1.81.16** 'o a'u ki he **1.83.6** 'e he vaivai ko 'eni CVE-2026-42208. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 Fakafo'ou 'a e LiteLLM ki he founga **1.83.7** pe ma'olunga ange ke fakasi'isi'i 'a e vaivai ko 'eni CVE-2026-42208. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 ## Founga 'oku sivi'i ai 'e he CVE-2026-42208 ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 'Oku fakakau 'eni 'i he taimi ni 'i he ngaahi sikani repo 'o e ZXCVFIXVIBETOKEN6ZXCV. 'Oku lau 'e he sieke 'a e ngaahi faile fakafalala 'o e fale tuku'anga koloa kuo fakamafai'i pe, kau ai 'a e CVE-2026-42208, API, ZXCVFIXVIBETOKEN2ZXCV, mo e ZXCVFIXVIBETOKEN3ZXCV. 'Oku ne faka'ilonga'i 'a e ngaahi pine LiteLLM pe ngaahi fakangatangata 'o e version 'oku fe'unga mo e uesia 'o e ngaahi 'atakai ZXCVFIXVIBETOKEN4ZXCV, pea lipooti 'a e faile 'o e fakafalala, fika laine, IDs fale'i, uesia 'o e ngaahi 'atakai, mo e version tu'u ma'u. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 Ko ha static 'eni, lau-pe 'a e sieke repo. 'Oku 'ikai ke ne fakahoko 'a e code 'o e kasitomaa pea 'oku 'ikai ke ne 'ave 'a e exploit payloads.

LiteLLM versions 1.81.16 through 1.83.6 contain a critical SQL injection vulnerability in the Proxy API key verification logic. This flaw allows unauthenticated attackers to bypass authentication controls or access the underlying database. The issue is resolved in version 1.83.7.

CVE-2026-42208GHSA-r75f-5x8p-qvmcCWE-89

Impact

LiteLLM contains a critical SQL injection vulnerability in its Proxy API key verification process [S1]. This flaw allows unauthenticated attackers to bypass security checks and potentially access or exfiltrate data from the underlying database [S1][S3].

Root Cause

The issue is identified as CWE-89 (SQL Injection) [S1]. It is located in the API key verification logic of the LiteLLM Proxy component [S2]. The vulnerability stems from insufficient sanitization of input used in database queries [S1].

Affected Versions

LiteLLM versions 1.81.16 through 1.83.6 are affected by this vulnerability [S1].

Concrete Fixes

Update LiteLLM to version 1.83.7 or higher to mitigate this vulnerability [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including requirements.txt, pyproject.toml, poetry.lock, and Pipfile.lock. It flags LiteLLM pins or version constraints that match the affected range >=1.81.16 <1.83.7, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.