diff --git a/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml new file mode 100644 index 00000000000..745d8cbc7eb --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-08 12:56:55 +id: CVE-2026-42208 +info: + name: CVE-2026-42208 + author: crowdsec + severity: info + description: CVE-2026-42208 testing + tags: appsec-testing +http: + - raw: + - | + POST /v1/chat/completions HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Authorization: Bearer {{randstr}}' OR (SELECT pg_sleep(8)) IS NOT NULL -- + + {} + cookie-reuse: true + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/vpatch-CVE-2026-42208/config.yaml b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml new file mode 100644 index 00000000000..6dd840c1b71 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-08 12:56:55 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml +nuclei_template: CVE-2026-42208.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml new file mode 100644 index 00000000000..9e6ea71f444 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-07-08 12:56:55 +name: crowdsecurity/vpatch-CVE-2026-42208 +description: 'Detects SQL injection in LiteLLM via crafted Authorization header on /v1/chat/completions endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /v1/chat/completions + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: "' or " + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'LiteLLM - SQLI' + classification: + - cve.CVE-2026-42208 + - attack.T1190 + - cwe.CWE-89 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 073510b3f5d..85d57e8f323 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -136,6 +136,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-59528 - crowdsecurity/vpatch-CVE-2024-46506 - crowdsecurity/vpatch-CVE-2025-3605 +- crowdsecurity/vpatch-CVE-2026-42208 - crowdsecurity/vpatch-CVE-2024-29028 - crowdsecurity/vpatch-CVE-2023-6000 - crowdsecurity/vpatch-CVE-2024-0204