How is CVE-2026-48746 exploited?

Network reachability (required): The attacker must reach the vLLM API endpoint over the network; the service must be exposed to an adjacent or public network for exploitation to occur. Authentication (not-required): No credentials are needed; the vulnerability bypasses the configured VLLM_API_KEY or --api-key check entirely, granting access without any account or token. Victim interaction (not-required): Exploitation is fully server-side; no user action, click, or session is required from any legitimate user or administrator. Attack complexity (info): Attack complexity is low, meaning the bypass is reliable and requires no race conditions, special memory layout, or environmental preconditions beyond network access to the API.

What is the impact of CVE-2026-48746?

Reads responses from the hosted LLM API without authorization, potentially exposing proprietary model outputs, system prompts, and any data passed through inference requests. Sends unlimited API requests under the identity of an unauthenticated caller, exhausting GPU compute and degrading or crashing the inference service for legitimate users. Bypasses usage quotas and rate limits tied to API key validation, enabling cost amplification or resource starvation against the hosting environment.

Back to search

CRITICALCVE-2026-48746Published 2026-06-22Modified 2026-06-22CNA GitHub_M

CVE-2026-48746: vLLM: OpenAI auth bypass

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in vLLM, the open-source inference and serving engine for large language models, affecting versions 0.3.0 through 0.22.0. The flaw stems from how ASGI web servers and the Starlette framework handle trust propagation, allowing the OpenAI API AuthenticationMiddleware to be bypassed entirely; an unauthenticated remote attacker can reach the API over the network with no credentials required. Successful exploitation lets an attacker query and consume the hosted LLM API freely and potentially disrupt service availability. No fix version has been published yet; HarborGuard tracks this advisory and will flag a patched-image rebuild as available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle vLLM. Any image running vLLM 0.3.0 or later up to 0.22.0 will surface this CVE immediately in scan results.

Available

Triage

HarborGuard scores this finding at CVSS 9.1 Critical and weights it against each environment's compliance policy to determine breach-of-policy status and urgency tier. Triage alerts are routed to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, findings are held in an open, monitored state so that no manual advisory tracking is required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vLLM API endpoint over the network; the service must be exposed to an adjacent or public network for exploitation to occur.
AuthenticationNot required
No credentials are needed; the vulnerability bypasses the configured VLLM_API_KEY or --api-key check entirely, granting access without any account or token.
Victim interactionNot required
Exploitation is fully server-side; no user action, click, or session is required from any legitimate user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the bypass is reliable and requires no race conditions, special memory layout, or environmental preconditions beyond network access to the API.

Blast Radius

Reads responses from the hosted LLM API without authorization, potentially exposing proprietary model outputs, system prompts, and any data passed through inference requests.
Sends unlimited API requests under the identity of an unauthenticated caller, exhausting GPU compute and degrading or crashing the inference service for legitimate users.
Bypasses usage quotas and rate limits tied to API key validation, enabling cost amplification or resource starvation against the hosting environment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE at the time of publication, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild option the moment vLLM 0.22.0 or a later fix version is confirmed upstream. While awaiting the patch, recommended compensating controls include applying Kubernetes NetworkPolicy or equivalent network-policy rules to restrict inbound access to the vLLM API to authorized workloads only, placing an authenticating reverse proxy or API gateway in front of the vLLM service to re-enforce credential checks at the network edge, and using environment-variable or secret-manager controls to ensure VLLM_API_KEY is set even if the middleware bypass renders it temporarily ineffective as a sole control. For customers who opt into auto-remediation, a rebuild plus regression run and a PR opened against affected workloads will be triggered automatically once a fix version is available upstream.

See how HarborGuard automates this

Affected packages

vllm-project / vllm
>= 0.3.0, < 0.22.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified