{
  "variant_id": "pruva-litellm-cve-2026-42271-alt-auth-headers-no-bypass",
  "created_at": "2026-07-07T00:00:00Z",
  "variant_summary": "Alternate API-Key and x-litellm-api-key authentication headers reach the same LiteLLM combined_view SQL-injection sink on vulnerable litellm==1.83.6, but litellm==1.83.7 parameterizes the sink and blocks both paths; no fixed-version bypass was confirmed.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/BerriAI/litellm",
  "submitted_target": {
    "target_kind": "package_version",
    "version": "1.83.6",
    "ref": "v1.83.6-nightly",
    "commit_sha": "9e4352afb42a870a70f572121d6c39a32c48b3f8",
    "display": "litellm==1.83.6 / v1.83.6-nightly"
  },
  "variant_target": {
    "target_kind": "package_version",
    "version": "1.83.7",
    "ref": "v1.83.7-stable",
    "commit_sha": "e0d5c28db02b3219dbd944666a55f49732197922",
    "display": "litellm==1.83.7 / v1.83.7-stable (security fix commit 4dc416ee749122ca91e3bca095217478663419e7 present)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "Unauthenticated/protected LiteLLM proxy API requests using attacker-controlled API-key material",
  "validated_surface": "Remote GET /model/info with API-Key and x-litellm-api-key headers",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "GET /model/info with SQL payload supplied in API-Key or x-litellm-api-key header",
  "attacker_controlled_input": "API-Key and x-litellm-api-key header values",
  "trigger_path": "GET /model/info -> user_api_key_auth.get_api_key() -> auth_checks._fetch_key_object_from_db_with_reconnect() -> PrismaClient.get_data(table_name=combined_view) -> raw/parameterized SQL token lookup",
  "observed_impact_class": "authz_bypass_on_vulnerable_version_no_fixed_bypass",
  "exploitability_confidence": "high_on_vulnerable_version_none_as_fixed_bypass",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "The materially distinct alternate header paths reproduce only on vulnerable litellm==1.83.6. The fixed litellm==1.83.7 target rejects both payloads quickly and PostgreSQL logs show the token bound as $1.",
  "blocking_mitigation": "Parameterized combined_view token lookup introduced by commit 4dc416ee749122ca91e3bca095217478663419e7.",
  "file_path": "litellm/proxy/utils.py",
  "line_start": 3480,
  "line_end": 3492,
  "secondary_anchors": [
    {
      "file_path": "litellm/proxy/auth/user_api_key_auth.py",
      "line_start": 557,
      "line_end": 596
    },
    {
      "file_path": "litellm/proxy/auth/auth_checks.py",
      "line_start": 2352,
      "line_end": 2365
    },
    {
      "file_path": "litellm/proxy/spend_tracking/spend_management_endpoints.py",
      "line_start": 1794,
      "line_end": 1815
    }
  ],
  "review_scope_paths": [
    "litellm/proxy/utils.py",
    "litellm/proxy/auth/user_api_key_auth.py",
    "litellm/proxy/auth/auth_checks.py",
    "litellm/proxy/spend_tracking/spend_management_endpoints.py",
    "security.md"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh"
    ]
  }
}
