Skip to content

Add vpatch-CVE-2026-42208 rule and test#59

Open
crowdsec-automation wants to merge 4 commits into
masterfrom
1783515416-vpatch-CVE-2026-42208
Open

Add vpatch-CVE-2026-42208 rule and test#59
crowdsec-automation wants to merge 4 commits into
masterfrom
1783515416-vpatch-CVE-2026-42208

Conversation

@crowdsec-automation

Copy link
Copy Markdown

This rule targets the SQL injection vulnerability in LiteLLM (CVE-2026-42208) that is exploited via a crafted Authorization header on the /v1/chat/completions endpoint. The detection logic is as follows:

  • The first rule ensures the request is made to the exact endpoint /v1/chat/completions by matching the URI with a lowercase transformation for normalization.
  • The second rule inspects the authorization header for the presence of the SQL injection pattern "' or ", which is characteristic of the attack payload (e.g., Bearer <token>' OR ...). The lowercase transformation ensures case-insensitive matching.
  • The rule does not match on the body or other headers, as the vulnerability is specifically triggered by the Authorization header.
  • The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.

Validation Checklist:

  • All value: fields are lowercase.
  • transform includes lowercase wherever applicable.
  • No match.value contains capital letters.
  • The rule uses contains instead of regex for the Authorization header pattern, as only a substring match is needed.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-42208.yaml

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-42208 🔴

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants