Full Report
The vulnerability exists in LiteLLM’s authentication flow, where the Authorization: Bearer header is directly concatenated into a SQL query without proper parameterization. This flaw allows attackers to inject arbitrary SQL statements prior to authentication, enabling direct a...
Analysis Summary
# Vulnerability: Pre-Authentication SQL Injection in LiteLLM
## CVE Details
- **CVE ID:** CVE-2026-42208
- **CVSS Score:** 10.0 (Critical) - *Based on unauthenticated remote access and full database compromise.*
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products:** LiteLLM (Open-source Proxy for LLM APIs)
- **Versions:** Versions prior to 1.34.42
- **Configurations:** Deployments utilizing PostgreSQL as the database backend for credential and token management.
## Vulnerability Description
The flaw resides in LiteLLM’s authentication logic. Specifically, the application extracts the token from the `Authorization: Bearer` header and directly concatenates it into a SQL query string instead of using prepared statements or parameterized queries. Because this occurs during the authentication phase, the sink is reachable by unauthenticated remote attackers. An attacker can craft a malicious Bearer token containing SQL fragments to manipulate the query logic.
## Exploitation
- **Status:** Exploited in the wild; PoC available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Observed Behavior:** Attackers have been observed using UNION-based injection to perform schema enumeration. Targeted tables include `litellm_credentials`, `litellm_config`, and `LiteLLM_VerificationToken`.
## Impact
- **Confidentiality:** Total (Full access to all data in the PostgreSQL database, including API keys and credentials).
- **Integrity:** Total (Ability to modify or delete database records).
- **Availability:** Total (Potential for database destruction or service disruption).
## Remediation
### Patches
- **Official Patch:** Update LiteLLM to version **1.34.42** or later. The patch implements parameterized queries for the authentication flow.
### Workarounds
- **Network Filtering:** Restrict access to the LiteLLM proxy interface to trusted IP addresses only via Firewall/WAF.
- **Database Hardening:** Apply the principle of least privilege to the database user used by LiteLLM to limit the scope of a potential breach.
## Detection
- **Indicators of Compromise:**
- HTTP requests to the LiteLLM endpoint featuring unusually long `Authorization: Bearer` headers.
- Presence of SQL keywords in headers, such as `UNION SELECT`, `pg_sleep`, `ORDER BY`, or references to `information_schema`.
- **Detection Methods:**
- Review PostgreSQL logs for syntax errors or unexpected queries involving the `litellm_credentials` table.
- Use WAF signatures to detect SQL injection patterns within the `Authorization` header.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/BerriAI/litellm/releases/tag/v1.34.42
- **Detailed Analysis:** hxxps[://]webflow[.]sysdig[.]com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure
- **Threat Intelligence:** hxxps[://]threats[.]wiz[.]io/all-incidents/critical-sql-injection-vulnerability-in-litellm-exploited-in-the-wild