Skip to content

Add vpatch-CVE-2026-42208 rule and test#61

Open
crowdsec-automation wants to merge 4 commits into
masterfrom
1784122392-vpatch-CVE-2026-42208
Open

Add vpatch-CVE-2026-42208 rule and test#61
crowdsec-automation wants to merge 4 commits into
masterfrom
1784122392-vpatch-CVE-2026-42208

Conversation

@crowdsec-automation

Copy link
Copy Markdown

This rule targets the SQL injection vulnerability in LiteLLM (CVE-2026-42208) that is exploited via a crafted Authorization header on the /v1/chat/completions endpoint. The detection logic is as follows:

  • The first rule ensures the request is made to the exact endpoint /v1/chat/completions by matching the URI with a lowercase transformation for normalization.
  • The second rule inspects the Authorization header for the presence of the SQL injection pattern. Specifically, it looks for the substring "' or (select" (all lowercase), which is characteristic of the exploit payload (Bearer {{randstr}}' OR (SELECT pg_sleep(8)) IS NOT NULL --). The lowercase transformation ensures case-insensitive matching.
  • The use of contains instead of regex or equals minimizes false negatives while avoiding overbroad matching.
  • The rule does not match on other request elements, as the vulnerability is only triggered by the Authorization header on this endpoint.
  • Labels and classification are set according to the CVE and CWE references, and the rule is marked as an exploit for HTTP services.

Validation checklist:

  • All value: fields are lowercase.
  • transform includes lowercase wherever applicable.
  • No match.value contains capital letters.
  • The rule uses contains instead of regex where applicable.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-42208.yaml

@github-actions

Copy link
Copy Markdown

Hello @crowdsec-automation,

✅ The new VPATCH Rule is compliant, thank you for your contribution!

@github-actions

Copy link
Copy Markdown

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-42208 🔴

@github-actions

Copy link
Copy Markdown

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants