CVE-2026-34753

Source
https://cve.org/CVERecord?id=CVE-2026-34753
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34753
Aliases
Related
Published
2026-04-06T15:36:52.942Z
Modified
2026-07-15T01:49:18.674681908Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
Summary
vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
Details

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in downloadbytesfrom_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34753.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Database specific
{
    "cpe": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0.16.0"
        },
        {
            "fixed": "0.19.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34753.json"