diff --git a/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml new file mode 100644 index 00000000000..f7b37f93aac --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-15 13:33:11 +id: CVE-2026-42208 +info: + name: CVE-2026-42208 + author: crowdsec + severity: info + description: CVE-2026-42208 testing + tags: appsec-testing +http: + - raw: + - | + POST /v1/chat/completions HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Authorization: Bearer {{randstr}}' OR (SELECT pg_sleep(8)) IS NOT NULL -- + + {} + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/vpatch-CVE-2026-42208/config.yaml b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml new file mode 100644 index 00000000000..72227431ac6 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-15 13:33:11 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml +nuclei_template: CVE-2026-42208.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml new file mode 100644 index 00000000000..dc14dfd3df2 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-07-15 13:33:11 +name: crowdsecurity/vpatch-CVE-2026-42208 +description: 'Detects SQL injection in LiteLLM via crafted Authorization header on /v1/chat/completions endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /v1/chat/completions + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: "' or (select" + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'LiteLLM - SQLI' + classification: + - cve.CVE-2026-42208 + - attack.T1190 + - cwe.CWE-89 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 79a2e5ca01c..e15949bfd89 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -70,6 +70,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2020-5902 - crowdsecurity/vpatch-CVE-2018-13379 - crowdsecurity/vpatch-CVE-2022-26134 +- crowdsecurity/vpatch-CVE-2026-42208 - crowdsecurity/vpatch-CVE-2026-1557 - crowdsecurity/vpatch-CVE-2024-34102 - crowdsecurity/vpatch-CVE-2024-29973