Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Disclosure requires authorized read access to logs, so PR:L and AV:L rather than network/unauthenticated; confidentiality-only impact means I:N and A:N.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.
AnalysisAI
Sensitive information disclosure in Red Hat OpenShift AI's vllm-orchestrator-gateway component exposes bearer tokens and full chat payloads because the production binary writes all incoming Authorization headers and complete request bodies to persistent logs. Any user holding logging privileges can read these logs to harvest live credentials and potentially PII-laden conversation content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires read access to the persistent logs produced by the vllm-orchestrator-gateway production binary - i.e., 'logging privileges' such as OpenShift log-viewer RBAC, access to the container's stdout/log volume, or access to the downstream aggregation backend (Loki/EFK). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5, High) models this as a remote, unauthenticated confidentiality breach, but that framing conflicts with the description, which states the data is exposed only to a 'user with logging privileges' - an authenticated, authorized insider or a compromised log-reader account, not an anonymous network attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An SRE, platform operator, or a service account scoped to the logging stack opens the aggregated gateway logs and reads plaintext Authorization: Bearer tokens alongside full chat prompts and responses. They replay a harvested token against the LLM API to impersonate legitimate callers and exfiltrate the captured PII-bearing conversation content. … |
| Remediation | No vendor-released patch version is identified in the available data; monitor the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-15574) and Bugzilla 2499594 (https://bugzilla.redhat.com/show_bug.cgi?id=2499594) for the fixing errata and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit vllm-orchestrator-gateway logging access controls to identify privileged users; review logs for suspicious access patterns and begin credential inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Openshift Ai Rhoai
View allKubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authe
Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat
Arbitrary file write in the Feast Feature Server's `/save-document` endpoint lets an unauthenticated remote attacker wri
Denial of service in the Feast Feature Server (the Python feature-store serving component, also shipped within Red Hat O
The Feast Feature Server contains a path traversal vulnerability in its `/read-document` endpoint that allows unauthenti
Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments
Unproxied metrics port exposure in the gorch service template of trustyai-service-operator (part of Red Hat OpenShift AI
Image input manipulation in vLLM's multimodal preprocessing pipeline allows remote, unauthenticated network attackers to
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43310
GHSA-fgpg-f5rm-p28p