CVE-2026-48746: Critical Authentication Bypass in vLLM
| Field | Value |
|---|---|
| CVE ID | CVE-2026-48746 |
| CVSS score | 9.1 |
| Attack vector | Network |
| Auth required | None |
| Patch status | Fixed in vLLM 0.22.0 |
TL;DR - vLLM versions
0.3.0through before0.22.0contain a critical auth bypass. - Attackers may access the OpenAI-compatible API without the configured API key. - Upgrade to0.22.0or later urgently, especially for exposed or shared deployments.
Vulnerability at a Glance
CVE-2026-48746 is a critical authentication bypass in vLLM, the model inference and serving engine used to expose OpenAI-compatible APIs for large language model workloads. According to the NVD description, the flaw affects vLLM versions from 0.3.0 until 0.22.0, which means 0.3.0 through all versions before 0.22.0 are affected, and the issue is fixed in 0.22.0.
The vulnerability allows requests to reach the OpenAI-compatible API without supplying the configured VLLM_API_KEY or --api-key. That matters operationally because many teams treat the API key check as the first and sometimes only gate protecting expensive inference endpoints. If that assumption fails, the result is not just a theoretical control bypass. It can become unauthorized access to GPU-backed services, unplanned spend, and abuse of internal AI infrastructure.
What Is This Vulnerability?
The official description attributes the bug to trust assumptions between Starlette and ASGI web servers in how request paths are interpreted for authentication decisions. In practice, this means the OpenAI API AuthenticationMiddleware in vulnerable vLLM deployments can be bypassed under certain request-handling conditions. The core security impact is straightforward: an attacker may be able to use the API without presenting the configured API key.
There is still an important limitation on what can be said with certainty. The primary sources available here do not safely provide a complete exploit walkthrough, exact request variants, or a definitive CVSS vector string. Defenders should not fill in those gaps with assumptions. What is known is enough to act: this is a network-reachable, no-auth authentication bypass in a common AI-serving component, and the upstream project fixed it in 0.22.0.
Who Is Affected?
Affected software is vLLM versions 0.3.0 up to, but excluding, 0.22.0. Put plainly, if you are running any vLLM release from 0.3.0 through 0.21.x, you should treat the instance as vulnerable until proven otherwise. The fixed version is explicitly stated as 0.22.0.
This is most urgent for organizations exposing vLLM through internet-facing endpoints, internal shared services, developer platforms, or multi-tenant AI environments. Even if your deployment sits behind another control such as an API gateway, reverse proxy, VPN, or service mesh, you should still patch. Middleware-level auth bypasses become especially dangerous when downstream systems assume the application has already enforced authentication.
Severity and Risk Assessment
The NVD assigns CVSS 9.1, placing this issue in the critical range. The exact vector string was not safely available in the provided source material, so it should not be invented. Still, the score aligns with the likely risk profile: remote reachability, no valid credentials required, and direct access to protected API functionality.
For practitioners, the bigger question is not whether the label says “critical,” but what an attacker can do after exploitation. In many vLLM environments, successful bypass could permit unauthorized prompt submission, model invocation, token consumption, and abuse of attached compute. Depending on how the service is integrated, there may also be downstream consequences such as access to internal workflows, prompt pipelines, or applications that trust the vLLM endpoint as a protected internal service.
Exploitation Status and PoC Availability
At the time of writing, CISA KEV does not list CVE-2026-48746, and there is no primary-source confirmation of exploitation in the wild in the materials provided. That means defenders should not claim active exploitation as established fact. It also means you should avoid overreacting to social chatter that does not cite verifiable evidence.
Likewise, no standalone public PoC repository is confirmed from the primary references retrieved here. There are disclosure and advisory references, including the GitHub security advisory and an X41 advisory referenced by NVD, but that is not the same as a weaponized, public exploit. In the absence of confirmed exploitation or a public PoC, defenders should still assume rapid reproduction is possible because the vulnerability class is attractive, the product is widely discussed, and the fix is public.
Bottom Line
CVE-2026-48746 is a critical authentication bypass in vLLM that affects versions 0.3.0 through before 0.22.0 and is fixed in 0.22.0. The issue can allow use of the OpenAI-compatible API without the configured VLLM_API_KEY or --api-key, which is a serious failure for any deployment relying on that control.
There is no confirmed in-the-wild exploitation and no confirmed standalone public PoC from the primary sources reviewed here. That should not delay response. For defenders, the correct posture is straightforward: inventory vLLM instances, patch to 0.22.0 or later, verify unauthorized requests are rejected, and add compensating controls where immediate upgrades are not possible.
For further reading on software vulnerabilities, check out our article on software vulnerabilities and learn more about OIDC.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
How to Detect Exposure and Possible Abuse
Your first detection step is asset and version validation. Identify every vLLM deployment and confirm whether it is running a release from 0.3.0 through before 0.22.0. If your inventory is incomplete, search deployment manifests, container tags, Python package listings, and startup scripts for vllm references. For exposed endpoints, validate whether unauthenticated requests can reach OpenAI-compatible routes that should require VLLM_API_KEY or --api-key.
The second step is behavioral review. Because the core symptom is API access without valid authentication, look for successful requests to OpenAI-compatible endpoints where an Authorization: Bearer header is missing, malformed, or inconsistent with your expected client behavior. If your logging does not capture auth headers for privacy reasons, focus on the combination of successful status codes and requests from unknown sources to endpoints that should have been blocked.
Technical Notes
Example commands to identify installed versions:
python -m pip show vllm
pip freeze | grep -i '^vllm=='
python -c "import vllm; print(vllm.__version__)"
If vLLM is running in a container:
docker ps --format '{{.ID}} {{.Image}} {{.Names}}'
docker exec -it <container_id> python -c "import vllm; print(vllm.__version__)"
Look for requests to common OpenAI-compatible API paths such as:
/v1/chat/completions
/v1/completions
/v1/embeddings
/v1/models
A concrete HTTP access-log hunting pattern is:
"(POST|GET) /v1/(chat/completions|completions|embeddings|models) HTTP/1\.[01]" (200|201)
If your reverse proxy logs capture auth presence indirectly, hunt for successful API responses without an authorization header marker. For example, in Splunk-style pseudocode:
index=proxy_logs (uri_path="/v1/chat/completions" OR uri_path="/v1/completions" OR uri_path="/v1/embeddings" OR uri_path="/v1/models")
status IN (200,201)
| eval auth_present=if(isnull(authorization) OR authorization="", "no", "yes")
| stats count by src_ip, uri_path, status, auth_present, user_agent
| where auth_present="no"
If your environment does not log headers, assume detection coverage is incomplete. In that case, prioritize emergency patching and compensate with IP allowlists, gateway enforcement, and upstream auth checks until all instances are updated.
Mitigation and Patching
The primary remediation is to upgrade vLLM to 0.22.0 or later. That is the only fix version confirmed by the sources provided. If you manage vLLM through Python packaging, containers, or orchestration manifests, make sure the deployed runtime actually uses the updated package and not a cached older layer. After upgrading, restart the service and validate that requests without the configured API key are rejected.
If you cannot patch immediately, reduce exposure aggressively. Put the service behind a trusted reverse proxy or API gateway that independently enforces authentication before requests ever reach vLLM. Restrict source IP ranges, remove direct internet exposure, and prefer private networking. These workarounds are compensating controls, not substitutes for the fixed version, because the underlying flaw sits in the application’s auth handling.
Technical Notes
Upgrade with pip:
python -m pip install --upgrade 'vllm>=0.22.0'
If you need the exact fixed release:
python -m pip install --upgrade 'vllm==0.22.0'
Then verify:
python -c "import vllm; print(vllm.__version__)"
If you launch vLLM directly, review startup arguments and environment settings after upgrade:
echo "$VLLM_API_KEY"
ps aux | grep -i vllm
A temporary reverse-proxy workaround using NGINX to block requests without an Authorization header might look like:
location /v1/ {
if ($http_authorization = "") {
return 401;
}
proxy_pass http://vllm_backend;
}
That workaround should be treated carefully. It can reduce exposure, but it does not guarantee semantic equivalence with application-level auth, and it may not cover all deployment paths or trusted-header edge cases. Test it before relying on it in production.
Validation After Remediation
After patching, perform a direct functional test from a non-privileged host. Send one request without any bearer token and confirm the service denies it. Then send the same request with a known valid API key and confirm normal behavior. This is the simplest way to prove the vulnerable auth path is no longer reachable.
Also review your observability pipeline. For a vulnerability like this, many teams discover too late that they cannot distinguish authenticated from unauthenticated access in logs. Update reverse proxy, WAF, or application logging so that future investigations can answer three questions quickly: which endpoint was called, whether auth was presented, and whether the request was allowed.
References
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-48746
- GitHub security advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6
- Patch reference / pull request: https://github.com/vllm-project/vllm/pull/43426
- Additional advisory: https://x41-dsec.de/lab/advisories/x41-2026-002-starlette
- Official vLLM project: https://github.com/vllm-project/vllm