CVE-2026-48746
Last modified
CVE-2026-48746 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. EPSS estimates a 0.74% chance of exploitation in the next 30 days.
Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vllm | Vllm | >= 0.3.0, < 0.22.0 |
References
- https://github.com/vllm-project/vllm/pull/43426Issue Tracking
- https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6Third Party Advisory
- https://x41-dsec.de/lab/advisories/x41-2026-002-starletteThird Party Advisory
- https://x41-dsec.de/lab/advisories/x41-2026-002-starletteThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-48746?
How severe is CVE-2026-48746?
How do I fix CVE-2026-48746?
Are you affected by CVE-2026-48746?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST