CVE-2026-42208: 
NixOS 취약성 분석 및 완화

CVE-2026-42208 is a pre-authentication SQL injection vulnerability in BerriAI's LiteLLM proxy server (AI Gateway), allowing unauthenticated remote attackers to read and potentially modify the proxy's backend database. It affects LiteLLM versions 1.81.16 through 1.83.6 (fixed in 1.83.7). The vulnerability was discovered by Tencent YunDing Security Lab, disclosed via GitHub Security Advisory on April 20, 2026, and published to NVD on May 8, 2026. It carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 9.3 (Critical) (GitHub Advisory, CISA KEV).

The root cause (CWE-89) is improper neutralization of SQL special elements: the database query used during proxy API key verification directly concatenates the caller-supplied Authorization header value into the SQL query text rather than using parameterized queries. An unauthenticated attacker can send a specially crafted Authorization header to any LLM API route (e.g., POST /chat/completions), and the injected SQL payload is executed through the proxy's error-handling code path. No authentication, special privileges, or user interaction is required — the attack is fully network-accessible with low complexity. A public Python exploit script and a lab environment repository are available (GitHub Advisory, PoC Exploit, Sysdig Blog).

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the LiteLLM proxy's database, enabling exfiltration of sensitive data including stored LLM provider API keys, credentials, and user information managed by the proxy. Attackers may also modify database contents to gain unauthorized access to the proxy itself, potentially pivoting to downstream LLM provider accounts (e.g., OpenAI, Anthropic) and any systems relying on those credentials. The vulnerability has been chained with a separate LiteLLM flaw (CVE-2026-42271) to achieve unauthenticated remote code execution (BleepingComputer, The Hacker News, Security Affairs).

1. Reconnaissance: Identify internet-facing LiteLLM proxy instances (versions 1.81.16–1.83.6) using tools like Shodan or Censys, searching for LiteLLM API endpoints (e.g., services exposing /chat/completions or similar OpenAI-compatible routes).
2. Craft malicious Authorization header: Prepare a specially crafted Authorization header value containing SQL injection payloads (e.g., ' OR 1=1--, UNION-based, or time-based blind injection strings) designed to manipulate the API key lookup query.
3. Send request to LLM API route: Submit an HTTP POST request to any LLM API endpoint (e.g., POST /chat/completions) with the malicious Authorization header. The proxy's error-handling path processes the invalid key and passes the unsanitized value directly into the SQL query.
4. Extract database contents: Use SQL injection techniques (UNION SELECT, error-based, or blind injection) to enumerate and dump database tables, extracting stored LLM provider API keys, user credentials, and proxy configuration data.
5. Modify database or escalate: Optionally insert or modify database records to create unauthorized proxy access, or use extracted API keys to directly access upstream LLM provider accounts. Chain with CVE-2026-42271 for unauthenticated RCE (PoC Exploit, Sysdig Blog, BleepingComputer).

• Network: Unusual or malformed HTTP POST requests to LiteLLM API routes (e.g., /chat/completions, /v1/chat/completions) with Authorization headers containing SQL metacharacters (', --, UNION, SELECT, OR 1=1); unexpected outbound connections from the LiteLLM proxy host to unknown external IPs.
• Logs: LiteLLM proxy access logs showing repeated requests with anomalous Authorization header values; database error messages or SQL syntax errors appearing in proxy logs; high volume of failed authentication attempts from a single source IP.
• File System: Unexpected new files or scripts in the LiteLLM installation directory; modified configuration files; evidence of credential harvesting tools dropped on the host (if chained with RCE via CVE-2026-42271).
• Database: Unexpected queries in database audit logs involving UNION, information_schema, or other SQL injection artifacts; unauthorized reads of API key or credential tables; new or modified rows in user/key management tables.
• Process: Unusual child processes spawned by the LiteLLM Python process (if RCE chain is used); unexpected network connections initiated by the proxy service (BleepingComputer, Sysdig Blog).

Upgrade LiteLLM to version 1.83.7 or later, which fixes the vulnerability by passing the caller-supplied key as a separate parameterized query parameter rather than concatenating it into the SQL query text (GitHub Advisory, LiteLLM Release). If immediate patching is not possible, set disable_error_logs: true under general_settings in the LiteLLM configuration — this removes the error-handling code path through which unauthenticated input reaches the vulnerable query. Additionally, restrict network access to LiteLLM proxy endpoints to trusted sources only, rotate all API keys and credentials stored in the proxy database, and monitor for suspicious Authorization header patterns. CISA's KEV deadline for federal agencies was May 11, 2026 (CISA KEV).

The vulnerability attracted significant attention due to its rapid exploitation — active attacks were observed within approximately 36 hours of public disclosure, prompting widespread coverage from BleepingComputer, The Hacker News, Security Affairs, SecurityWeek, and Sysdig (BleepingComputer, Sysdig Blog). Security researchers and commentators highlighted the case as an example of "mean time to exploit going negative" — where exploitation precedes broad awareness — and used it to argue for faster patch deployment cycles, with some citing U.S. proposals to slash patch deadlines to 3 days. Belgium's Centre for Cybersecurity (CCB) issued an advisory urging immediate patching. The LiteLLM vendor published an official blog post detailing the vulnerability and remediation steps (LiteLLM Blog). Community discussion on Reddit (r/SecOpsDaily, r/LLMDevs, r/aisecurity) and Mastodon/Bluesky was active, with defenders sharing detection tips and researchers noting the chaining potential with CVE-2026-42271 for unauthenticated RCE.