FixVibe
Covered by FixVibecritical

I-LiteLLM Proxy SQL Injection (CVE-2026-42208)

Ukuba sengozini komjovo we-SQL okubalulekile (CVE-2026-42208) engxenyeni yommeleli we-LiteLLM kuvumela abahlaseli ukuthi badlule ukufakazela ubuqiniso noma bafinyelele ulwazi lwesizindalwazi olubucayi ngokusebenzisa inqubo yokuqinisekisa engukhiye we-API.

CVE-2026-42208GHSA-r75f-5x8p-qvmcCWE-89

Umthelela

Izinguqulo ze-LiteLLM 1.81.16 ukuya ku-1.83.7 ziqukethe ukuba sengozini okubalulekile komjovo we-SQL ngaphakathi kwendlela yokuqinisekisa ukhiye we-API yommeleli [S1]. Ukuxhaphaza ngempumelelo kuvumela umhlaseli ongagunyaziwe ukuthi adlule izilawuli zokuphepha noma enze imisebenzi yesizindalwazi esingagunyaziwe [S1]. Lokhu kuba sengozini kunikezwe amaphuzu e-CVSS angu-9.8, okubonisa umthelela wawo ophezulu ekugcinweni kuyimfihlo kwesistimu nobuqotho [S2].

Imbangela

Ubungozi bukhona ngoba ummeleli we-LiteLLM wehluleka ukuhlanza kahle noma ukwenza ipharamitha kukhiye we-API ohlinzekwe kunhlokweni we-Authorization ngaphambi kokuwusebenzisa embuzweni wesizindalwazi [S1]. Lokhu kuvumela imiyalo ye-SQL enonya eshumekwe kunhlokweni ukuthi isetshenziswe yisizindalwazi esisemuva [S3].

Izinguqulo Ezithintekile

  • LiteLLM: Izinguqulo 1.81.16 kuze kufike (kodwa zingabandakanyi) 1.83.7 [S1].

Ukulungiswa kukakhonkolo

  • Buyekeza i-LiteLLM: Thuthukisa ngokushesha iphakheji le-litellm ukuze libe inguqulo 1.83.7 noma kamuva ukuze uvale iphutha lomjovo [S1].
  • Hlola Amalogi Esizindalwazi: Buyekeza amalogi okufinyelela kusizindalwazi ukuze uthole amaphethini emibuzo angajwayelekile noma i-syntax engalindelekile evela kusevisi yommeleli [S1].

Ingqondo Yokuthola

Amathimba okuvikela angakwazi ukukhomba ukuchayeka ngokuthi:

  • Ukuskena Kwenguqulo: Ihlola indawo ebonisa izinguqulo ze-LiteLLM phakathi kwebanga elithintekile (1.81.16 kuya ku-1.83.6) [S1].
  • Ukuqapha Okusekhanda: Ihlola izicelo ezingenayo kummeleli we-LiteLLM zamaphethini omjovo we-SQL ikakhulukazi ngaphakathi kwenkambu yethokheni ye-Authorization: Bearer [S1].