CVE-2026-48746
CriticalCVSS 9.1Exploitation Probability (EPSS)
Elevated risk54th percentile — higher than 54% of all known CVEs
Summary
A vulnerability in the vLLM inference engine (versions 0.3.0 through 0.22.0) allows bypassing OpenAI API authentication. The flaw lies in ASGI web servers and starlette's trust in request headers, enabling API usage without the configured VLLM_API_KEY.
Risk Assessment
The organization is exposed to unauthorized access to LLM APIs, potentially leading to data leakage, resource abuse, and security policy violations.
Recommendation
Upgrade vLLM to version 0.22.0 or later immediately. Until then, consider additional API protection via firewall or authenticating proxy.
Original NVD description (English source)
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.

