Description
A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function api_generate of the component Worker API Endpoint. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is c9e84b89c91d45191dc24466888de526fa04cf33. It is suggested to install a patch to address this issue. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points.
Published: 2026-04-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Remote Denial of Service via Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

Affecting the api_generate function in lm-sys FastChat, the vulnerability allows a remote attacker to cause excessive resource consumption by submitting crafted requests. The flaw arises from insufficient input validation or rate limiting within the Worker API Endpoint, leading to uncontrolled memory or CPU usage, which can degrade service availability for legitimate users.

Affected Systems

All installations of lm-sys FastChat up to and including version 0.2.36 are susceptible. The issue resides in the Worker API Endpoint api_generate function, defined in base_model_worker.py. No newer releases publicly identify a fix for this specific path, so any deployment of the affected version must be updated.

Risk and Exploitability

The CVSS score of 6.9 places the flaw in the medium severity range. Although its EPSS score is not publicly available, the vulnerability has been demonstrated publicly and can be triggered remotely without local access. It is not listed in CISA’s KEV catalog, but the remote nature and confirmed exploit suggest a realistic attack vector. The commit that patches api_generate in base_model_worker.py (c9e84b89) addresses this path, yet a separate commit (ff66426) noted that other entry points may remain unpatched, potentially extending the risk.

Generated by OpenCVE AI on April 20, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FastChat to a release that includes the c9e84b89c commit, which resolves the resource exhaustion flaw in the Worker API Endpoint (CWE‑400).
  • Conduct a brief audit of other Worker API endpoints for unbounded loops or resource allocation that could trigger CWE‑404, and apply fixes or add defensive limits.
  • If an update is not immediately available, isolate the Worker API Endpoint behind network segmentation or require authentication and set hard request limits to prevent excessive resource usage.

Generated by OpenCVE AI on April 20, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function api_generate of the component Worker API Endpoint. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is c9e84b89c91d45191dc24466888de526fa04cf33. It is suggested to install a patch to address this issue. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points.
Title lm-sys fastchat Worker API Endpoint api_generate resource consumption
First Time appeared Lm-sys
Lm-sys fastchat
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:lm-sys:fastchat:*:*:*:*:*:*:*:*
Vendors & Products Lm-sys
Lm-sys fastchat
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lm-sys Fastchat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T11:37:05.103Z

Reserved: 2026-04-19T15:59:39.594Z

Link: CVE-2026-6607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T05:16:16.190

Modified: 2026-04-20T05:16:16.190

Link: CVE-2026-6607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T07:00:11Z

Weaknesses