Detect BerriAI LiteLLM SQL Injection Exploitation (CVE-2026-42208) in Microsoft Sentinel
Detects exploitation attempts targeting a SQL injection vulnerability in BerriAI LiteLLM (CVE-2026-42208, CWE-89). LiteLLM is a widely deployed LLM proxy/gateway; successful exploitation allows unauthenticated or authenticated attackers to manipulate backend database queries, potentially exfiltrating API keys, user data, model configurations, and spend tracking records. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, CommonSecurityLog, AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where (
(RequestURL contains "' OR '" or RequestURL contains "' OR 1=1" or RequestURL contains "UNION SELECT" or RequestURL contains "-- " or RequestURL contains "';" or RequestURL contains "%27" or RequestURL contains "0x27")
or (RequestBody contains "' OR '" or RequestBody contains "UNION SELECT" or RequestBody contains "--" or RequestBody contains "1=1" or RequestBody contains "';--")
)
| where RequestURL has_any ("/key/", "/user/", "/spend/", "/model/", "/team/", "/health", "/chat/completions")
| extend SuspiciousPayload = coalesce(RequestURL, RequestBody)
| extend ClientIP = coalesce(SourceIP, CallerIpAddress, RemoteIP)
| summarize AttemptCount = count(), DistinctPaths = dcount(RequestURL), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ClientIP, UserAgent, SuspiciousPayload
| where AttemptCount >= 1
| extend RiskScore = case(AttemptCount > 10, "High", AttemptCount > 3, "Medium", "Low")
| project FirstSeen, LastSeen, ClientIP, UserAgent, AttemptCount, DistinctPaths, SuspiciousPayload, RiskScore
| sort by AttemptCount descDetects SQL injection patterns in HTTP requests targeting LiteLLM API endpoints via network event logs and WAF/proxy logs. Looks for classic SQLi payloads in URLs and request bodies directed at LiteLLM-specific route prefixes.
Data Sources
Required Tables
False Positives & Tuning
- Security scanners and penetration testing tools probing LiteLLM endpoints
- Legitimate API consumers whose payloads contain characters that resemble SQL syntax (e.g., natural language prompts with apostrophes)
- Web Application Firewall test rules generating synthetic SQLi traffic
- Automated fuzz testing frameworks running in CI/CD pipelines
Other platforms for CVE-2026-42208
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Error-Based SQL Injection on LiteLLM /key/info Endpoint
Expected signal: HTTP 500 or 422 response from LiteLLM; database error message in application logs; WAF alert if deployed
- Test 2UNION SELECT Injection Attempt on /user/info Endpoint
Expected signal: HTTP 500 or data leak in response body; PostgreSQL logs show UNION SELECT statement; network proxy logs capture full URL with UNION payload
- Test 3Time-Based Blind SQL Injection via LiteLLM /spend/logs
Expected signal: Response time >= 5 seconds; PostgreSQL slow query log entry for pg_sleep; application logs show extended request duration
- Test 4POST Body SQL Injection to LiteLLM /key/generate
Expected signal: HTTP 400/500 with SQL error in response; application log shows malformed query; SIEM alert on POST body containing OR 1=1
Unlock Pro Content
Get the full detection package for CVE-2026-42208 including response playbook, investigation guide, and atomic red team tests.