Skip to main content

vLLM CVE-2026-48746

CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-06-16 https://github.com/vllm-project/vllm GHSA-94f4-hr76-p5j6
Nginx Authentication Bypass Request Smuggling
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Single unauthenticated HTTP request over the network bypasses the API key; full model access and GPU-cost availability impact, but no integrity change to the server, so I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 18:22 vuln.today
Analysis Generated
Jun 16, 2026 - 18:22 vuln.today
CVE Published
Jun 16, 2026 - 17:36 github-advisory
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on vllm (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.3.0.

DescriptionGitHub Advisory

Summary

A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLM_API_KEY or --api-key.

Details

In https://github.com/vllm-project/vllm/blob/v0.14.0/vllm/entrypoints/openai/api_server.py#L689-L692 the url_path is taken from the URL, which is reconstructed by _starlette_ based on the request scope.

py
from starlette.datastructures import URL, Headers, MutableHeaders, State
# ...

url_path = URL(scope=scope).path.removeprefix(root_path)
headers = Headers(scope=scope)
if url_path.startswith("/v1") and not self.verify_token(headers):
    response = JSONResponse(content={"error": "Unauthorized"}, status_code=401)
    return response(scope, receive, send)
return self.app(scope, receive, send)

The request scope includes the request's Host: header and reconstructs the URL as shown below:

py
f"{scheme}://{host_header}{path}"

Neither starlette nor any of the ASGI servers (including uvicorn, which vllm uses) properly filter the Host: header for invalid characters. This allows an attacker to include special URL characters such as / or ? in the Host: header and thereby control the reconstructed URL and it's .path attribute.

FastAPI/starlette's routing uses the HTTP path and does not depend on the parsed url.path attribute, allowing attackers to reach an endpoint via a certain path while providing a different value in the .path.

Impact

  • Instances of vllm that use an API Key for the OpenAI API and expose the API to attackers.
  • Instances behind an RFC-conforming web server (such as nginx) are not affected.

Articles & Coverage 1

News Critical Authentication Bypass in Nginx/vLLM OpenAI API - CVE-2026-48746 Jun 16, 2026

AnalysisAI

Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed vLLM uvicorn port
Delivery
Craft request with malicious Host header
Exploit
Bypass AuthenticationMiddleware path check
Execution
Reach /v1 endpoint via FastAPI routing
Impact
Invoke model inference without API key
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a vLLM instance running a vulnerable version (>= 0.3.0, < 0.22.0) with API-key authentication enabled via VLLM_API_KEY or --api-key, (2) the uvicorn ASGI listener reachable by the attacker without an intermediate RFC-conforming HTTP proxy - deployments behind nginx (or any proxy that rejects invalid Host header characters) are explicitly not vulnerable per the vendor, and (3) the ability to set an arbitrary HTTP Host header containing URL-special characters such as '/' or '?'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (9.1) is consistent with the described primitive: a remote, unauthenticated, single-request bypass that grants access to inference endpoints (high confidentiality of model outputs / prompts and high availability impact through resource exhaustion on expensive GPU calls). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed vLLM server started with --api-key and reachable directly on its uvicorn port (no nginx in front), then issues a single HTTP request to /v1/chat/completions while setting a crafted Host header such as 'attacker.example/?' so that starlette's URL(scope).path resolves to something that does not start with '/v1'. The AuthenticationMiddleware sees a non-/v1 path and passes the request through without checking the bearer token, while FastAPI's router still dispatches it to the real chat-completions handler - granting the attacker free use of the model. …
Remediation Vendor-released patch: upgrade vllm to 0.22.0 or later, which replaces the URL(scope).path reconstruction with a direct read of scope['path'] (see https://github.com/vllm-project/vllm/pull/43426 and advisory https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and catalog all vLLM deployments running versions 0.3.0-0.21.x and assess whether they serve external traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45550 CRITICAL
9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

Share

CVE-2026-48746 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy