CVE-2026-48746

Source
https://cve.org/CVERecord?id=CVE-2026-48746
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48746.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48746
Aliases
Downstream
Related
Published
2026-06-22T21:57:28.997Z
Modified
2026-07-08T08:13:39.040881256Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
vLLM: OpenAI auth bypass
Details

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing the configured VLLMAPIKEY or --api-key. This vulnerability is fixed in 0.22.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48746.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-444"
    ]
}
References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Database specific
{
    "cpe": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0.3.0"
        },
        {
            "fixed": "0.22.0"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.10.0rc1
v0.10.0rc2
v0.10.1rc1
v0.10.2rc1
v0.10.2rc2
v0.11.0rc1
v0.11.1
v0.11.1rc0
v0.11.1rc1
v0.11.1rc2
v0.11.1rc3
v0.11.1rc4
v0.11.1rc5
v0.11.1rc6
v0.13.0rc1
v0.14.0rc0
v0.14.0rc1
v0.15.0rc1
v0.15.2rc0
v0.16.0rc0
v0.16.0rc1
v0.17.0rc0
v0.17.1rc0
v0.17.2rc0
v0.18.0rc0
v0.18.1rc0
v0.18.2rc0
v0.19.1rc0
v0.19.2rc0
v0.20.1rc0
v0.20.2rc0
v0.21.1rc0
v0.22.0rc1
v0.22.0rc2
v0.22.0rc3
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0.post1
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0.post1
v0.5.1
v0.5.2
v0.5.3
v0.5.3.post1
v0.5.4
v0.5.5
v0.6.0
v0.6.1
v0.6.1.post1
v0.6.1.post2
v0.6.2
v0.6.3
v0.6.3.post1
v0.6.4
v0.6.4.post1
v0.6.5
v0.6.6
v0.6.6.post1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0rc1
v0.8.0rc2
v0.8.1
v0.8.2
v0.8.3rc1
v0.8.4
v0.9.0
v0.9.1
v0.9.1rc1
v0.9.1rc2
v0.9.2rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48746.json"