CVE-2026-24779
published 2026-01-27CVE-2026-24779: vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in…
PriorityP345high7.1CVSS 3.1
AVNACLPRLUINSUCHINAL
EPSS
0.53%
40.6th percentile
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | < 0.14.1 | 0.14.1 |
| vllm | vllm | >= 0 < 0.14.1 | 0.14.1 |
| vllm | vllm | >= 0.15.1 < 0.17.0 | 0.17.0 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing
vendor_redhat·2026-03-09·CVSS 7.1
CVE-2026-25960 [HIGH] CWE-474 vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing
vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this Server-Side Request Forgery (SSRF) bypas
Red Hat
vLLM: vLLM: Server-Side Request Forgery allows internal network access
vendor_redhat·2026-01-27·CVSS 7.1
CVE-2026-24779 [HIGH] CWE-918 vLLM: vLLM: Server-Side Request Forgery allows internal network access
vLLM: vLLM: Server-Side Request Forgery allows internal network access
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environme
VulDB
vLLM up to 0.14.0 MediaConnector server-side request forgery (GHSA-qh4c-xf7m-gxfc / EUVD-2026-4711)
vuldb·2026-07-01·CVSS 7.1
CVE-2026-24779 [HIGH] vLLM up to 0.14.0 MediaConnector server-side request forgery (GHSA-qh4c-xf7m-gxfc / EUVD-2026-4711)
A vulnerability marked as critical has been reported in vLLM up to 0.14.0. This vulnerability affects the function MediaConnector. Performing a manipulation results in server-side request forgery.
This vulnerability is reported as CVE-2026-24779. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
ghsa·2026-01-28
CVE-2026-24779 [HIGH] CWE-918 vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the interna
OSV
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
osv·2026-01-28
CVE-2026-24779 [HIGH] vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the interna
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25960 [HIGH] CVE-2026-25960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25960 :
vLLM vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
Source : NVD
## 9.8
Score
Published March 9, 2026
Severity CRITICAL
CNA Score 7.1
Affected Technologies
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Re
Wiz
CVE-2026-24779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24779 [HIGH] CVE-2026-24779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24779 :
Chainguard vulnerability analysis and mitigation
MediaConnector
llm-d
llm-d
Source : NVD
## 7.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Chainguard
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vllm
tritonserver-backend-vllm-cuda-13.0
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
pip Severity HIGH Has Fix Added at: Jan 28, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Chainguard vulnerabilities:
CVE ID
Severity
https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7https://github.com/vllm-project/vllm/pull/32746https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfchttps://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:30087https://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/errata/RHSA-2026:3461https://access.redhat.com/errata/RHSA-2026:3462https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/security/cve/CVE-2026-24779https://bugzilla.redhat.com/show_bug.cgi?id=2433624https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24779.json
2026-01-27
Published