Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incomplete fix for a previous CVE left exception messages unsanitized in the vLLM inference engine. The Anthropic router handlers bypass the global FastAPI exception handler and directly construct JSON responses with str(exc), causing heap memory addresses from PIL.Image.open error messages to be exposed to clients. This leakage of internal memory addresses aligns with CWE‑532.

Affected Systems

vLLM before version 0.23.1rc0 (vllm-project vllm library). The vulnerability impacts the Anthropic API router, the Server‑Sent Events streaming converter, and the realtime speech‑to‑text WebSocket components within vllm.

Risk and Exploitability

The CVSS score of 5.3 categorizes the flaw as moderate, while the EPSS score is not available and the vulnerability is not listed in CISA KEV. An unauthenticated attacker can trigger it by sending malformed image bytes to the Anthropic Messages API endpoints, which produces an UnidentifiedImageError that leaks a BytesIO repr containing a heap memory address. The exploitation requires no special privileges and results only in information disclosure, potentially aiding further attacks but not enabling code execution.

Generated by OpenCVE AI on June 22, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vLLM library to version 0.23.1rc0 or newer, which applies the full sanitize_message fix.
  • If an immediate upgrade is not possible, modify the Anthropic router, streaming, and WebSocket handlers to invoke the sanitize_message helper on any exception messages before they are returned to clients.
  • As a provisional measure, restrict or rate‑limit access to the Anthropic API endpoints until the patch is applied.

Generated by OpenCVE AI on June 22, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgg8-fqqc-vfmw vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
History

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
Title vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T22:09:15.034Z

Reserved: 2026-06-12T16:25:43.084Z

Link: CVE-2026-54236

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File