From 334ef98e1fe3d3516e8718ac869d26ba9cfdb573 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Jul 2026 15:33:14 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-42208 rule --- .../crowdsecurity/vpatch-CVE-2026-42208.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml new file mode 100644 index 00000000000..dc14dfd3df2 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-07-15 13:33:11 +name: crowdsecurity/vpatch-CVE-2026-42208 +description: 'Detects SQL injection in LiteLLM via crafted Authorization header on /v1/chat/completions endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /v1/chat/completions + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: "' or (select" + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'LiteLLM - SQLI' + classification: + - cve.CVE-2026-42208 + - attack.T1190 + - cwe.CWE-89 From 277f4c488b272ffa5c4331efd76290cc94eef040 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Jul 2026 15:33:16 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-42208 test config --- .appsec-tests/vpatch-CVE-2026-42208/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-42208/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-42208/config.yaml b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml new file mode 100644 index 00000000000..72227431ac6 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-15 13:33:11 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml +nuclei_template: CVE-2026-42208.yaml From d2ebb9503f0d30a63e72f7f75d871009144cc5cc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Jul 2026 15:33:18 +0200 Subject: [PATCH 3/4] Add CVE-2026-42208.yaml test --- .../vpatch-CVE-2026-42208/CVE-2026-42208.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml new file mode 100644 index 00000000000..f7b37f93aac --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-15 13:33:11 +id: CVE-2026-42208 +info: + name: CVE-2026-42208 + author: crowdsec + severity: info + description: CVE-2026-42208 testing + tags: appsec-testing +http: + - raw: + - | + POST /v1/chat/completions HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Authorization: Bearer {{randstr}}' OR (SELECT pg_sleep(8)) IS NOT NULL -- + + {} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From c9051fea02e1ed99c0253f2599f5de0cbf65bd53 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Jul 2026 15:33:20 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-42208 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 79a2e5ca01c..e15949bfd89 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -70,6 +70,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2020-5902 - crowdsecurity/vpatch-CVE-2018-13379 - crowdsecurity/vpatch-CVE-2022-26134 +- crowdsecurity/vpatch-CVE-2026-42208 - crowdsecurity/vpatch-CVE-2026-1557 - crowdsecurity/vpatch-CVE-2024-34102 - crowdsecurity/vpatch-CVE-2024-29973