GHSA-94F4-HR76-P5J6
Vulnerability from github – Published: 2026-06-16 17:36 – Updated: 2026-06-16 17:36
VLAI
Summary
vLLM: OpenAI auth bypass
Details
Summary
A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit.
It allows to use the API without providing the configured VLLM_API_KEY or --api-key.
Details
In https://github.com/vllm-project/vllm/blob/v0.14.0/vllm/entrypoints/openai/api_server.py#L689-L692 the url_path is taken from the URL, which is reconstructed by starlette based on the request scope.
from starlette.datastructures import URL, Headers, MutableHeaders, State
# ...
url_path = URL(scope=scope).path.removeprefix(root_path)
headers = Headers(scope=scope)
if url_path.startswith("/v1") and not self.verify_token(headers):
response = JSONResponse(content={"error": "Unauthorized"}, status_code=401)
return response(scope, receive, send)
return self.app(scope, receive, send)
The request scope includes the request's Host: header and reconstructs the URL as shown below:
f"{scheme}://{host_header}{path}"
Neither starlette nor any of the ASGI servers (including uvicorn, which vllm uses) properly filter the Host: header for invalid characters. This allows an attacker to include special URL characters such as / or ? in the Host: header and thereby control the reconstructed URL and it's .path attribute.
FastAPI/starlette's routing uses the HTTP path and does not depend on the parsed url.path attribute, allowing attackers to reach an endpoint via a certain path while providing a different value in the .path.
Impact
- Instances of vllm that use an API Key for the OpenAI API and expose the API to attackers.
- Instances behind an RFC-conforming web server (such as nginx) are not affected.
Severity
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48746"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T17:36:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nA vulnerability in ASGI web servers and starlette\u0027s trust on those web servers enables an authentication bypass of the OpenAI API `AuthenticationMiddleware`, which was discovered during @x41sec\u0027s source code audit.\nIt allows to use the API without providing the configured `VLLM_API_KEY` or `--api-key`.\n\n### Details\n\nIn https://github.com/vllm-project/vllm/blob/v0.14.0/vllm/entrypoints/openai/api_server.py#L689-L692 the `url_path` is taken from the `URL`, which is reconstructed by _starlette_ based on the request `scope`.\n\n```py\nfrom starlette.datastructures import URL, Headers, MutableHeaders, State\n\n# ...\n\nurl_path = URL(scope=scope).path.removeprefix(root_path)\nheaders = Headers(scope=scope)\nif url_path.startswith(\"/v1\") and not self.verify_token(headers):\n response = JSONResponse(content={\"error\": \"Unauthorized\"}, status_code=401)\n return response(scope, receive, send)\nreturn self.app(scope, receive, send)\n```\n\nThe request `scope` includes the request\u0027s `Host:` header and reconstructs the URL as shown below:\n\n```py\nf\"{scheme}://{host_header}{path}\"\n```\n\nNeither starlette nor [any of the ASGI servers](https://asgi.readthedocs.io/en/latest/implementations.html#servers) (including uvicorn, which vllm uses) properly filter the `Host:` header for invalid characters. This allows an attacker to include special URL characters such as `/` or `?` in the `Host:` header and thereby control the reconstructed URL and it\u0027s `.path` attribute.\n\nFastAPI/starlette\u0027s routing uses the HTTP path and does not depend on the parsed url.path attribute, allowing attackers to reach an endpoint via a certain path while providing a different value in the `.path`.\n\n### Impact\n- Instances of vllm that use an API Key for the OpenAI API and expose the API to attackers.\n- Instances behind an RFC-conforming web server (such as nginx) are **not** affected.",
"id": "GHSA-94f4-hr76-p5j6",
"modified": "2026-06-16T17:36:41Z",
"published": "2026-06-16T17:36:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/43426"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
},
{
"type": "WEB",
"url": "https://x41-dsec.de/lab/advisories/x41-2026-002-starlette"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM: OpenAI auth bypass"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…