Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incomplete fix for a prior CVE left exception messages unsanitized in the vLLM inference engine. When an unauthenticated attacker sends malformed image bytes to the Anthropic Messages API, PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, exposing a heap memory address in the response body. The flaw is classified under CWE‑209 and also reveals internal file paths or environmental details in logs, corresponding to CWE‑532.

Affected Systems

vLLM before version 0.23.1rc0 (vllm-project vllm library). The vulnerability impacts the Anthropic API router, the Server‑Sent Events streaming converter, and the realtime speech‑to‑text WebSocket components within vllm.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score is < 1% and the vulnerability does not appear in the CISA KEV catalog. An unauthenticated attacker can trigger the flaw by posting malformed image data to the Anthropic endpoint, causing a PIL exception to leak a BytesIO object repr that includes a heap memory address. The exploitation requires no special privileges and results only in information disclosure, which could aid further attacks but does not provide code execution.

Generated by OpenCVE AI on June 26, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to vLLM 0.23.1rc0 or newer, which completes the sanitize_message fix and prevents heap address leakage (CWE‑209).
  • If upgrading is not immediately possible, modify the Anthropic router, streaming converter, and WebSocket handlers to explicitly call the sanitize_message helper on exceptions before constructing responses, thereby removing sensitive data (CWE‑209).
  • Apply application logging changes to suppress stack traces or internal error details that may reveal file paths or environment information, mitigating information disclosure (CWE‑532).
  • As a temporary protection, restrict or rate‑limit access to the Anthropic API endpoints until the patch is installed.

Generated by OpenCVE AI on June 26, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgg8-fqqc-vfmw vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-209
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
Title vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T12:33:28.108Z

Reserved: 2026-06-12T16:25:43.084Z

Link: CVE-2026-54236

cve-icon Vulnrichment

Updated: 2026-06-23T12:33:20.376Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T22:09:15Z

Links: CVE-2026-54236 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:00:16Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information

  • CWE-532

    Insertion of Sensitive Information into Log File