What is CVE-2026-48746?

CVE-2026-48746 is a critical-severity vulnerability in Vllm-project Vllm, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 9.1/10. Published 2026-06-22.

How severe is CVE-2026-48746?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Vllm-project Vllm

CVE-2026-48746

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API Authentica…

Vulnerability class: HTTP Request Smuggling

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.

Affected products

Vllm-project Vllm — versions >= 0.3.0, < 0.22.0

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
134c704f-9b21-4f2e-91b3-4a467353bcc0

Frequently asked questions

What is CVE-2026-48746?: CVE-2026-48746 is a critical-severity vulnerability in Vllm-project Vllm, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 9.1/10. Published 2026-06-22.
How severe is CVE-2026-48746?: Critical severity. CVSS v3 base score is 9.1 out of 10.