Description
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in vllm-project vllm version 0.19.0 allows an attacker to manipulate the OpenAI‑compatible serving path, causing the service to become unresponsive. The flaw is a classic resource‑availability weakness (CWE‑404) that can be triggered remotely and the exploit is publicly available, meaning that any machine exposing the vulnerable endpoint is at risk of downtime.

Affected Systems

The vulnerability affects the vllm component of vllm‑project, specifically version 0.19.0. Any deployment of that release exposed to outside traffic is potentially impacted.

Risk and Exploitability

The CVSS score of 6.9 places the flaw in the moderate range, but the absence of any protective controls and the public nature of the exploit raise the practical risk. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, yet the remote attack vector and documented exploit code suggest that operators should treat it as a serious threat until a fix is available.

Generated by OpenCVE AI on May 26, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vllm to the latest version that contains the missing patch (e.g., a release newer than 0.19.0).
  • If an upgrade is not immediately feasible, isolate the OpenAI‑compatible endpoint by placing it behind a firewall or reverse proxy, enforce strict access controls, and implement rate limiting to reduce the chance of a successful denial‑of‑service attempt.
  • Continuously monitor the serving service for abnormal latency or error spikes and set up alerts to trigger automated restarts or scaling actions when thresholds are exceeded.

Generated by OpenCVE AI on May 26, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Title vllm-project vllm OpenAI-compatible Serving Path denial of service
First Time appeared Vllm-project
Vllm-project vllm
Weaknesses CWE-404
CPEs cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm-project
Vllm-project vllm
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T13:47:57.215Z

Reserved: 2026-05-26T05:44:55.913Z

Link: CVE-2026-9540

cve-icon Vulnrichment

Updated: 2026-05-26T13:47:53.055Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T14:16:45.803

Modified: 2026-05-26T19:54:40.357

Link: CVE-2026-9540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:45:08Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release