## https://sploitus.com/exploit?id=2DA57135-57BB-597F-8C0D-BCCBAEE544E5
# CVE-2026-42208 โ LiteLLM Pre-Authentication SQL Injection
A lab environment for reproducing and detecting **CVE-2026-42208**, a critical pre-authentication SQL injection vulnerability in LiteLLM where unsanitized Bearer tokens reach a raw PostgreSQL query.
---
## Vulnerability Overview
| Field | Details |
|-------|---------|
| CVE ID | CVE-2026-42208 |
| GHSA | [GHSA-r75f-5x8p-qvmc](https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc) |
| CVSS | 9.3 (Critical) โ `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` |
| Affected versions | >= 1.81.16, โ payload does NOT start with "sk-"
โ api_key.startswith("sk-") assertion fails (utils.py:1189)
โ caught by except Exception (utils.py:1560)
โ _handle_authentication_error(api_key=RAW_PAYLOAD)
โ _enrich_failure_metadata_with_key_info()
โ get_data(token=RAW_PAYLOAD, table_name="combined_view")
โ SQL: WHERE v.token = '{payload}' โ injection
Patched (v1.83.7):
Same request path, but:
โ get_data(token=hashed_token, ...)
โ SQL: WHERE v.token = $1 โ parameterized, no injection
```
### Attack Prerequisites
| # | Condition | Details |
|---|-----------|---------|
| 1 | Affected LiteLLM version | >= 1.81.16, = 5 pg_sleep(6) fired โ injection confirmed
```
False positive prevention:
- `status == 401` eliminates responses from upstream timeouts (504) and gateway errors (502)
- Body keyword match confirms the 401 came from LiteLLM's auth handling, not a WAF or proxy
- `duration >= 5` is sufficiently high to exclude network jitter (baseline is โค0.5s)
---
## References
- [GHSA-r75f-5x8p-qvmc](https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc)
- [NVD โ CVE-2026-42208](https://nvd.nist.gov/vuln/detail/CVE-2026-42208)
- [Sysdig Analysis](https://www.sysdig.com/blog/cve-2026-42208-critical-sql-injection-litellm/)
---
> **Warning:** All credentials in this lab are fake test data for security research purposes only. Never use in production. Always obtain explicit authorization before scanning systems you do not own.