CVE Catalog

CVE-2026-48746

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.86%

54th percentile — higher than 54% of all known CVEs

Summary

A vulnerability in the vLLM inference engine (versions 0.3.0 through 0.22.0) allows bypassing OpenAI API authentication. The flaw lies in ASGI web servers and starlette's trust in request headers, enabling API usage without the configured VLLM_API_KEY.

Risk Assessment

The organization is exposed to unauthorized access to LLM APIs, potentially leading to data leakage, resource abuse, and security policy violations.

Recommendation

Upgrade vLLM to version 0.22.0 or later immediately. Until then, consider additional API protection via firewall or authenticating proxy.

Original NVD description (English source)

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS