Critical authentication bypass allows unauthorized API access
Summary
vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLM_API_KEY or --api-key. This vulnerability is fixed in 0.22.0. A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability, residing in ASGI web servers and Starlette's trust in them, allows an attacker to bypass the OpenAI API Authentication Middleware. This bypass enables unauthorized access to the API without requiring the configured VLLM_API_KEY or --api-key, leading to critical unauthorized operations. CVE-2026-48746 is an authentication bypass in the vLLM OpenAI-compatible API server. A remote attacker who can reach the vLLM endpoint directly can craft a Host header so the authentication middleware checks a different URL path than the one actually dispatched, bypassing VLLM_API_KEY / --api-key protection. Successful exploitation allows unauthorized inference API access, which can result in confidentiality loss (model/prompt abuse) and availability impact (resource exhaustion). The flaw does not provide integrity compromise or arbitrary code execution. Exploitation requires vLLM API-key authentication to be enabled and the service to be exposed without an RFC-conforming reverse proxy that normalizes the Host header. Because Red Hat AI inference offerings are commonly deployed behind OpenShift Routes or similar proxies, and because the vulnerability is conditional on deployment and configuration, the overall flaw impact is rated Important rather than Critical. Red Hat severity: Important — CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). Weakness: CWE-501. Fixed by RHSA-2026:30088, RHSA-2026:30089 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat AI Inference Server 3.3. Will not fix / out of support: Red Hat Ansible Automation Platform 2.
- rhaiis/vllm-rocm-rhel9:1782353093
- rhaiis/vllm-cuda-rhel9:1782352847
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- rhaiis/vllm-rocm-rhel9:1782353093
- rhaiis/vllm-cuda-rhel9:1782352847
- RHSA-2026:30088
- RHSA-2026:30089
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Restrict network access to the vLLM API endpoint to only trusted clients and internal networks. Implement firewall rules or network policies to limit inbound connections to the vLLM service, thereby reducing the attack surface. This operational control helps prevent unauthorized external access to the vulnerable API.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.