Authentication Bypass in vLLM by vllm-project
CVE-2026-48746

9.1CRITICAL

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
22 June 2026

What is CVE-2026-48746?

A vulnerability exists in the vLLM inference engine affecting OpenAI API integration, enabling an authentication bypass due to misconfigurations in ASGI web servers and the Trust feature in Starlette. This flaw permits unauthorized access to the API, allowing interaction without the necessity for valid credentials such as VLLM_API_KEY. The issue has been addressed and mitigated in version 0.22.0, emphasizing the need for users to update their installations in order to secure their API interactions.

Affected Version(s)

vllm >= 0.3.0, < 0.22.0

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/43426
x_refsource_MISC
https://x41-dsec.de/lab/advisories/x41-2026-002-starlette
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.