vLLM OpenAI-Compatible API Server Authentication Bypass Allows Unauthenticated AI Inference Access (CVE-2026-48746)
Scope: vLLM Versions 0.3.0 through 0.21.x (Fixed in 0.22.0)
Severity: Red
A critical authentication bypass (CVSS 9.1) in vLLM's OpenAI API AuthenticationMiddleware, discovered during an X41 Security source code audit and published June 2, 2026, stems from the middleware reconstructing the request URL path using Starlette's URL(scope=scope).path method which trusts the attacker-controlled Host header rather than the unalterable scope["path"] value. An unauthenticated attacker can send a crafted Host header to manipulate the reconstructed path so it does not match the /v1 prefix check, causing authentication to be bypassed entirely and granting free access to all inference endpoints without providing a VLLM_API_KEY. Notably, vLLM deployments placed behind an RFC-conforming reverse proxy such as nginx are not affected, as nginx normalizes the Host header before it reaches vLLM. Organizations must upgrade to vLLM version 0.22.0 immediately; where patching is delayed, place the vLLM API server behind an nginx or similar reverse proxy, restrict direct network access to the vLLM port via firewall rules, and rotate any API keys that may have been exposed.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.