vLLM: OpenAI auth bypass
Summary
| CVE | CVE-2026-48746 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 23:16:30 UTC |
| Updated | 2026-07-07 12:16:56 UTC |
| Description | vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS: 0.010140000 probability, percentile 0.590740000 (date 2026-07-08)
Problem Types: CWE-444 | CWE-501 | CWE-444 CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | CWE-501 Trust Boundary Violation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | [email protected] | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | CNA | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Vllm-project | Vllm | affected >= 0.3.0, < 0.22.0 | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server 3.3 | Not specified | Not specified |
| ADP | Red Hat | Exploit Intelligence | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Applications 8 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| x41-dsec.de/lab/advisories/x41-2026-002-starlette | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | x41-dsec.de | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:36006 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/vllm-project/vllm/pull/43426 | [email protected] | github.com | Issue Tracking |
| access.redhat.com/errata/RHSA-2026:30089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6 | [email protected] | github.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:30088 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36005 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-48746 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48746.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| x41-dsec.de/lab/advisories/x41-2026-002-starlette | MITRE | x41-dsec.de | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-22T23:00:57.824Z | Reported to Red Hat. |
| ADP | 2026-06-22T21:57:28.997Z | Made public. |
Solutions
ADP: RHSA-2026:36005: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:36006: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:30089: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:30088: Red Hat AI Inference Server 3.3
Workarounds
ADP: Restrict network access to the vLLM API endpoint to only trusted clients and internal networks. Implement firewall rules or network policies to limit inbound connections to the vLLM service, thereby reducing the attack surface. This operational control helps prevent unauthorized external access to the vulnerable API.