What is the CVSS score of CVE-2026-24779?

CVE-2026-24779 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-24779?

vLLM deployments using multimodal features are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing attackers to access internal systems and data without authentication.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24779?

Yes, a public proof-of-concept exploit is available for CVE-2026-24779. Prioritise patching immediately. EPSS: 0.0%.

Python CVE-2026-24779

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-01-27 security-advisories@github.com

GHSA-qh4c-xf7m-gxfc

Denial Of Service Python SSRF Industrial Red Hat AI / ML Vllm

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Jan 30, 2026 - 14:41 vuln.today

Public exploit code

Patch released

Jan 30, 2026 - 14:41 nvd

Patch available

CVE Published

Jan 27, 2026 - 22:15 nvd

HIGH 7.1

DescriptionNVD

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like llm-d, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal llm-d management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.

AnalysisAI

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. …

RemediationAI

Within 24 hours: Inventory all vLLM instances and identify those running versions prior to 0.14.1 in production environments. Within 7 days: Apply vendor patch to upgrade vLLM to version 0.14.1 or later across all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory