{"uuid": "8e78cef2-363e-4dc3-994e-8b872f5d9c95", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42208", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/litellm_proxy_sqli.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"\", \"author\": [\"Tencent YunDing Security Lab\", \"Kenneth LaCroix\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module detects BerriAI LiteLLM proxy servers affected by\\n          CVE-2026-42208, an unauthenticated SQL injection. During API-key\\n          verification the proxy interpolates the raw Authorization bearer value\\n          into a PostgreSQL query (WHERE v.token = '') without\\n          parameterization. Because LiteLLM only hashes tokens that begin with\\n          \\\"sk-\\\", a bearer value that does not start with \\\"sk-\\\" reaches the query\\n          verbatim and is injectable. The failure path that performs the lookup is\\n          reachable before authentication. Affected versions are 1.81.16 through\\n          1.83.6 (fixed in 1.83.7).\\n\\n          The module confirms the flaw with a benign time-based check built on the\\n          framework's PostgreSQL time-based blind SQL injection library. It issues a\\n          request whose injected predicate sleeps only when a tautology is true and a\\n          second request whose predicate never sleeps, and reports the target\\n          vulnerable only when the first is delayed while the second returns promptly.\\n          A server that is merely slow delays both requests and is not flagged. The\\n          module does not read or exfiltrate data.\\n\\n          Detection requires the target to have provisioned at least one virtual\\n          key. The injectable predicate sits in a WHERE clause that PostgreSQL\\n          evaluates only against matching rows, so when the token table is empty\\n          the pg_sleep never executes and the proxy appears (falsely) safe. Any\\n          LiteLLM proxy in real use has issued keys; a freshly initialized proxy\\n          with an empty token table may not respond to the time-based probe.\", \"disclosure_date\": \"2026-04-20\", \"fullname\": \"auxiliary/scanner/http/litellm_proxy_sqli\", \"is_install_path\": true, \"mod_time\": \"2026-06-19 07:54:56 +0000\", \"name\": \"BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner\", \"needs_cleanup\": false, \"notes\": {\"Reliability\": [], \"SideEffects\": [\"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/auxiliary/scanner/http/litellm_proxy_sqli.rb\", \"platform\": \"\", \"post_auth\": false, \"rank\": 300, \"ref_name\": \"scanner/http/litellm_proxy_sqli\", \"references\": [\"CVE-2026-42208\", \"GHSA-r75f-5x8p-qvmc\", \"URL-https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy\"], \"rport\": 4000, \"session_types\": false, \"targets\": null, \"type\": \"auxiliary\"}", "creation_timestamp": "2026-06-24T15:45:11.740978Z"}