External risk intelligence

vLLM Authentication Bypass via ASGI Server Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-48746

vLLM is specifically designed as an inference and serving engine for Large Language Models. When deployed, it commonly exposes an OpenAI-compatible API endpoint to provide model access to clients, making these endpoints frequent targets for internet-facing or service-level access.

Authentication Bypass

Vllm

0.3.0 to before 0.22.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in vLLM, an engine used for large language models, that could allow unauthorized access to its API. This bypasses the intended authentication mechanism, meaning the API could be used without the necessary keys. The main concern is confirming if your organization uses this specific technology and is therefore exposed.

  • Bypass authentication for large language model APIs.
  • Protects access to valuable AI model services.
  • Confirm if vLLM is in use; assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could bypass authentication on the OpenAI API by sending specially crafted requests to the vLLM inference engine. This would allow them to access the API without needing a valid API key, potentially leading to unauthorized use of the large language model.

  • No authentication required to access.
  • Triggers authentication bypass vulnerability.
  • Allows unauthorized API access.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability in vLLM's handling of ASGI web servers and starlette could allow unauthenticated access to the OpenAI API. This means that an attacker could potentially interact with the large language model service without needing to provide the correct API key, which might affect service availability and potentially expose information processed by the model, depending on how the API is configured and used.

  • API access to the LLM service.
  • Bypassing API key authentication.
  • Unauthorized service access or denial.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for vLLM inference and serving engines, including platform or infrastructure teams that manage LLM deployments, should lead the remediation efforts. The initial practical move is to identify all instances of vLLM, confirm their exposure and criticality, and then plan for updates or other mitigation strategies based on the assessed risk.

  • Platform/Infrastructure teams own the issue.
  • Verify vLLM instances and API reachability.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is vLLM and how is it used?

vLLM is a specialized engine designed to serve and run large language models (LLMs) efficiently. Developers and engineers use it to deploy models as accessible services, often providing an interface that mimics the OpenAI API. This allows existing applications to interact with locally hosted or infrastructure-managed AI models as if they were calling a standard cloud-based service.

How does CVE-2026-48746 create an authentication bypass?

This vulnerability involves CWE-444, also known as HTTP Request Smuggling. The issue stems from how vLLM interacts with its ASGI web server and the Starlette framework. Because these components may interpret incoming requests differently, an attacker can bypass the OpenAI-compatible AuthenticationMiddleware. This allows the attacker to interact with the LLM engine as if they were a valid user, even without providing the required API key.

Do I need a specifically crafted request to trigger this flaw?

Yes, triggering this vulnerability requires sending specifically crafted requests that exploit the discrepancy in how the web server and the underlying application framework process HTTP data. Simply connecting to the API or performing standard, well-formed requests will not inherently trigger the bypass. The vulnerability relies on the structural manipulation of the request to deceive the authentication check.

Is my vLLM deployment at risk of unauthorized access?

Halo Surface Signal indicates that vLLM deployments are frequently configured to provide service-level access, often making the OpenAI-compatible API endpoints reachable over a network. If your instance is internet-facing or accessible to unauthorized service-level traffic, the risk is higher. You should assess if your network architecture allows external entities to reach your inference engine.

How should I respond to this vLLM vulnerability?

The primary step is to identify all vLLM instances within your environment and check their version numbers. Since this vulnerability affects versions from 0.3.0 up to 0.21.x, you should prioritize upgrading to version 0.22.0, where this authentication issue is resolved. Infrastructure and platform teams should lead this effort by auditing current deployments and scheduling the necessary updates to maintain secure access control.

References