CVE-2026-48746
published 2026-06-22CVE-2026-48746: vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on…
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.86%
53.9th percentile
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-26 | mcp-tools-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-27 | mcp-tools-rhel9 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| mta | mta-solution-server-rhel9 | — | — |
| openshift-lightspeed | lightspeed-agentic-sandbox-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| rhaii | vllm-cpu-rhel9 | — | — |
| rhaii | vllm-cuda-rhel9 | — | — |
| rhaii | vllm-gaudi-rhel9 | — | — |
| rhaii | vllm-neuron-rhel9 | — | — |
| rhaii | vllm-rocm-rhel9 | — | — |
| rhaii | vllm-spyre-rhel9 | — | — |
| rhaii | vllm-tpu-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-cuda-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-rocm-rhel9 | — | — |
| rhaiis | vllm-spyre-rhel9 | — | — |
| rhaiis | vllm-tpu-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by crafting a Host header so the AuthenticationMiddleware checks a different URL path than the one actually dispatched — monitor for requests to the vLLM OpenAI-compatible API endpoint that lack a valid VLLM_API_KEY but succeed (HTTP 200) due to path mismatch caused by a manipulated Host header. ↗
- →Alert on successful API responses (non-401/403) to the vLLM OpenAI-compatible API when no API key is present in the request, particularly on deployments running vLLM versions 0.3.0 through 0.21.x (pre-0.22.0). ↗
- →The bypass does not require code execution or integrity compromise — focus detection on anomalous inference API usage patterns (unexpected volume of completions/chat requests, resource exhaustion) that may indicate unauthorized model abuse following a successful bypass. ↗
- ·The vulnerability is only exploitable when vLLM API-key authentication is explicitly enabled (VLLM_API_KEY or --api-key configured). Deployments without an API key set are not affected by this bypass. ↗
- ·Deployments behind an RFC-conforming reverse proxy (e.g., OpenShift Routes, nginx) that normalizes the Host header are not exploitable; the bypass only works when the vLLM endpoint is directly reachable by the attacker. ↗
- ·The root cause is in how vLLM uses Starlette's ASGI trust model — there is no documented bug in Starlette itself and no proposed fix in Starlette; the fix is entirely in vLLM 0.22.0. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vLLM: OpenAI auth bypass
ghsa·2026-06-16
CVE-2026-48746 [CRITICAL] CWE-444 vLLM: OpenAI auth bypass
vLLM: OpenAI auth bypass
### Summary
A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API `AuthenticationMiddleware`, which was discovered during @x41sec's source code audit.
It allows to use the API without providing the configured `VLLM_API_KEY` or `--api-key`.
### Details
In https://github.com/vllm-project/vllm/blob/v0.14.0/vllm/entrypoints/openai/api_server.py#L689-L692 the `url_path` is taken from the `URL`, which is reconstructed by _starlette_ based on the request `scope`.
```py
from starlette.datastructures import URL, Headers, MutableHeaders, State
# ...
url_path = URL(scope=scope).path.removeprefix(root_path)
headers = Headers(scope=scope)
if url_path.startswith("/v1") and not self.verify_token(he
Red Hat
vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
vendor_redhat·2026-06-22·CVSS 9.1
CVE-2026-48746 [CRITICAL] CWE-501 vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability, residing in ASGI web servers and Starlette's trust in them, allows an attacker to bypass the OpenAI API Authentication Middleware. This bypass enables unauthorized access to the API without requiring the configured VLLM_AP
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [fedora-all]
bugzilla·2026-06-29·CVSS 9.1
CVE-2026-48746 [CRITICAL] CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [fedora-all]
CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Bugzilla
CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [epel-all]
bugzilla·2026-06-24·CVSS 9.1
CVE-2026-48746 [CRITICAL] CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [epel-all]
CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Looking at https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6, this appears to be a bug in how the vllm software uses Starlette. There is no documented bug in Starlette, no proposed fix in Starlette, and vllm itself is not even packaged in either Fedora or EPEL.
Bugzilla
CVE-2026-48746 vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
bugzilla·2026-06-22·CVSS 9.1
CVE-2026-48746 [CRITICAL] CVE-2026-48746 vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
CVE-2026-48746 vllm: starlette: vLLM: Critical authentication bypass allows unauthorized API access
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
https://github.com/vllm-project/vllm/pull/43426https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6https://x41-dsec.de/lab/advisories/x41-2026-002-starlettehttps://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/security/cve/CVE-2026-48746https://bugzilla.redhat.com/show_bug.cgi?id=2491581https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48746.jsonhttps://x41-dsec.de/lab/advisories/x41-2026-002-starlette
2026-06-22
Published