From 7668ab8304835642611a847cd660ad11151da7ee Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:56:58 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-42208 rule --- .../crowdsecurity/vpatch-CVE-2026-42208.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml new file mode 100644 index 00000000000..9e6ea71f444 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-07-08 12:56:55 +name: crowdsecurity/vpatch-CVE-2026-42208 +description: 'Detects SQL injection in LiteLLM via crafted Authorization header on /v1/chat/completions endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /v1/chat/completions + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: "' or " + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'LiteLLM - SQLI' + classification: + - cve.CVE-2026-42208 + - attack.T1190 + - cwe.CWE-89 From deec672df4c3d5cbbbf00dcdd2025105625ae2cf Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:57:00 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-42208 test config --- .appsec-tests/vpatch-CVE-2026-42208/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-42208/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-42208/config.yaml b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml new file mode 100644 index 00000000000..6dd840c1b71 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-08 12:56:55 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-42208.yaml +nuclei_template: CVE-2026-42208.yaml From 1f09d0512bb86a89b2b13ff511f6f3d6b4781366 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:57:02 +0200 Subject: [PATCH 3/4] Add CVE-2026-42208.yaml test --- .../vpatch-CVE-2026-42208/CVE-2026-42208.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml new file mode 100644 index 00000000000..745d8cbc7eb --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-42208/CVE-2026-42208.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-08 12:56:55 +id: CVE-2026-42208 +info: + name: CVE-2026-42208 + author: crowdsec + severity: info + description: CVE-2026-42208 testing + tags: appsec-testing +http: + - raw: + - | + POST /v1/chat/completions HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Authorization: Bearer {{randstr}}' OR (SELECT pg_sleep(8)) IS NOT NULL -- + + {} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 25ca5303c40be26092ab11aa13bf41fb70f5faf4 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:57:04 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-42208 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 073510b3f5d..85d57e8f323 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -136,6 +136,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-59528 - crowdsecurity/vpatch-CVE-2024-46506 - crowdsecurity/vpatch-CVE-2025-3605 +- crowdsecurity/vpatch-CVE-2026-42208 - crowdsecurity/vpatch-CVE-2024-29028 - crowdsecurity/vpatch-CVE-2023-6000 - crowdsecurity/vpatch-CVE-2024-0204