cbcvebase.
CVE-2026-48746
published 2026-06-22

CVE-2026-48746: vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.86%
53.9th percentile
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-25lightspeed-chatbot-rhel8
ansible-automation-platform-26lightspeed-chatbot-rhel9
ansible-automation-platform-26mcp-tools-rhel9
ansible-automation-platform-27lightspeed-chatbot-rhel9
ansible-automation-platform-27mcp-tools-rhel9
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
mtamta-solution-server-rhel9
openshift-lightspeedlightspeed-agentic-sandbox-rhel9
openshift-lightspeedlightspeed-ocp-rag-rhel9
openshift-lightspeedlightspeed-service-api-rhel9
rhaiivllm-cpu-rhel9
rhaiivllm-cuda-rhel9
rhaiivllm-gaudi-rhel9
rhaiivllm-neuron-rhel9
rhaiivllm-rocm-rhel9
rhaiivllm-spyre-rhel9
rhaiivllm-tpu-rhel9
rhaiisvllm-cpu-rhel9
rhaiisvllm-cuda-rhel9
rhaiisvllm-neuron-rhel9
rhaiisvllm-rocm-rhel9
rhaiisvllm-spyre-rhel9
rhaiisvllm-tpu-rhel9
rhelai3bootc-aws-cuda-rhel9
rhelai3bootc-azure-cuda-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass is triggered by crafting a Host header so the AuthenticationMiddleware checks a different URL path than the one actually dispatched — monitor for requests to the vLLM OpenAI-compatible API endpoint that lack a valid VLLM_API_KEY but succeed (HTTP 200) due to path mismatch caused by a manipulated Host header.
  • Alert on successful API responses (non-401/403) to the vLLM OpenAI-compatible API when no API key is present in the request, particularly on deployments running vLLM versions 0.3.0 through 0.21.x (pre-0.22.0).
  • The bypass does not require code execution or integrity compromise — focus detection on anomalous inference API usage patterns (unexpected volume of completions/chat requests, resource exhaustion) that may indicate unauthorized model abuse following a successful bypass.
  • ·The vulnerability is only exploitable when vLLM API-key authentication is explicitly enabled (VLLM_API_KEY or --api-key configured). Deployments without an API key set are not affected by this bypass.
  • ·Deployments behind an RFC-conforming reverse proxy (e.g., OpenShift Routes, nginx) that normalizes the Host header are not exploitable; the bypass only works when the vLLM endpoint is directly reachable by the attacker.
  • ·The root cause is in how vLLM uses Starlette's ASGI trust model — there is no documented bug in Starlette itself and no proposed fix in Starlette; the fix is entirely in vLLM 0.22.0.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.