Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Published: 2026-06-22
Score: 9.1 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vLLM, an inference engine for large language models, includes an OpenAI AuthenticationMiddleware that requires a configured VLLM_API_KEY or a command‑line --api-key. A flaw in the way ASGI web servers and Starlette’s trust‑on‑headers feature integrate with that middleware allows a request that is missing the key to be treated as authenticated. This results in unauthenticated users obtaining direct access to the LLM service, which can expose sensitive model output, enable unauthorized inference, and allow unregulated consumption of compute resources. The weakness reflects a boundary violation (CWE-444) and can lead to evidence tampering (CWE-501).

Affected Systems

All released versions of vLLM from 0.3.0 through 0.21.9 are vulnerable. The product, named vLLM and produced by the vllm‑project, is typically exposed behind ASGI‑compatible servers such as Uvicorn, Hypercorn or Starlette itself. Users running these server environments have exposed API endpoints that the vulnerability targets.

Risk and Exploitability

The vulnerability has a CVSS score of 9.1, placing it in the critical category. Its EPSS score is less than 1 %, indicating a low but non‑zero probability of exploitation. It has not appeared in the CISA KEV catalog. Attackers would likely attempt exploitation over the network by sending crafted HTTP requests to the API endpoints served by the ASGI server, taking advantage of Starlette’s default trust‑headers configuration that forwards client IP information without proper validation.

Generated by OpenCVE AI on June 25, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.22.0 or later, which contains the authentication bypass fix.
  • Reconfigure the OpenAI AuthenticationMiddleware to reject requests that lack a valid VLLM_API_KEY or the --api-key flag, even when ASGI servers are set to trust certain headers.
  • Disable or tightly limit Starlette’s trust‑on‑headers feature for the vLLM deployment, ensuring only internal or explicitly trusted headers are honored.
  • Implement detailed request logging that records API key usage and audit logs for any requests that arrive without a valid key, and configure alerts to detect such activity.

Generated by OpenCVE AI on June 25, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-94f4-hr76-p5j6 vLLM: OpenAI auth bypass
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
References
Metrics threat_severity

None

threat_severity

Important


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0.
Title vLLM: OpenAI auth bypass
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T12:05:51.021Z

Reserved: 2026-05-22T19:10:35.747Z

Link: CVE-2026-48746

cve-icon Vulnrichment

Updated: 2026-07-08T12:05:51.021Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-22T21:57:28Z

Links: CVE-2026-48746 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:00:10Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

  • CWE-501

    Trust Boundary Violation