Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
Published: 2026-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery leading to arbitrary internal network requests
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the MediaConnector class of the vLLM inference engine allows an attacker to supply a media URL that bypasses the intended host‑restriction logic. The bug arises from different parsing rules for backslashes in two Python libraries used by the load_from_url and load_from_url_async methods, which enables attackers to coerce the server into making requests to internal network hosts. The resulting SSRF can expose sensitive internal services, trigger denial of service or cause unintended interactions with other components in containerised environments.

Affected Systems

vllm-project vLLM, the open‑source LLM inference and serving engine. The flaw affects all deployments using the multimodal feature set prior to version 0.14.1. Version 0.14.1 introduces a patch that resolves the host‑restriction bypass.

Risk and Exploitability

The vulnerability is scored 7.1 on the CVSS scale, indicating moderate to high risk, while the EPSS score is below 1%, suggesting that the probability of exploitation at a given time remains low. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be remote, originating from user‑supplied media URLs that the server processes. Once exploited, an attacker can direct the vLLM pod to reach arbitrary internal endpoints, potentially accessing confidential data or disrupting service availability.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.14.1 or newer to apply the official fix.
  • If upgrading is not immediately possible, disable or remove the MediaConnector feature so that load_from_url is not exposed until the patch is applied.
  • Configure network policies or firewall rules to prevent the vLLM pod from initiating outbound connections to internal services and block access to non‑public endpoints.

Generated by OpenCVE AI on April 18, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh4c-xf7m-gxfc vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
History

Fri, 30 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Wed, 28 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
Title vLLM vulnerable to Server-Side Request Forgery (SSRF) in `MediaConnector`
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T21:10:38.916Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24779

cve-icon Vulnrichment

Updated: 2026-01-28T21:10:35.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:57.280

Modified: 2026-01-30T14:41:25.530

Link: CVE-2026-24779

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T22:01:13Z

Links: CVE-2026-24779 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses