CVE-2026-15574: vLLM Gateway: logs leak bearer tokens & chat PII

HIGH
Published July 13, 2026
CISO Take

vllm-orchestrator-gateway's production binary writes every incoming Authorization header and full chat payload to persistent logs in plaintext, so any bearer token used to call the inference API and any PII or business-sensitive content in a conversation ends up sitting in a log file. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects that no privileges are needed to trigger the logging — every normal request poisons the logs — but actually harvesting the data requires a second step: read access to those logs, whether via an insider, a misconfigured log store, or a compromised log-aggregation host. There's no CISA KEV listing, no public exploit or Nuclei template, and EPSS data isn't available, so this isn't being mass-exploited today, but it's a textbook credential-harvesting and data-leakage primitive that turns any log-access compromise into an AI-service account takeover plus a PII/secrets breach. Patch to the fixed version per the Red Hat advisory, strip Authorization headers and payload bodies from logging middleware in the meantime, treat any tokens that may have transited this gateway as compromised and rotate them, and tighten RBAC on log storage and aggregation systems.

Sources: NVD CISA KEV ATLAS access.redhat.com bugzilla.redhat.com

What is the risk?

Confidentiality-only impact (C:H/I:N/A:N) with no authentication or user interaction required to trigger the flaw — every request through the gateway is logged in full, so the exposure surface grows with traffic volume. The realistic exploit path is two-stage: an attacker doesn't attack the gateway directly, they attack (or already have access to) whatever stores or aggregates its logs. That significantly narrows the population of viable adversaries to insiders, supply-chain actors with access to logging/observability infrastructure, or attackers who've already gained a foothold elsewhere and pivot to log storage. Package risk score is unscored (0/100, no dependent or scorecard data available) and this is not in CISA KEV, so there's no evidence of active exploitation — but the low technical bar for extracting value once log access exists, combined with the sensitivity of what's logged (bearer tokens + raw chat content), makes this a high-priority finding for any deployment handling regulated or confidential data.

How does the attack unfold?

Normal API usage
Any client (user, agent, or integrated service) sends a routine authenticated request to the gateway, which logs the full Authorization header and chat payload to persistent storage.
AML.T0040
Log access acquisition
A separate threat actor — an insider, an attacker who compromised the log storage/aggregation system, or one who pivoted from another foothold — gains read access to the production logs.
AML.T0055
Credential and data harvesting
The actor scrapes the logs for bearer tokens and chat content, extracting live credentials plus PII and sensitive conversation data.
AML.T0025
Impact: account takeover and data exposure
Harvested tokens are replayed to impersonate legitimate callers of the AI service while exposed PII/business data drives a privacy breach and potential compliance violation.
AML.T0012

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

1 step
  1. 1) Patch vllm-orchestrator-gateway to the version referenced in the Red Hat advisory as soon as it's available in your environment. 2) Until patched, disable verbose/debug request logging or add middleware that redacts the Authorization header and request/response bodies before they hit persistent storage. 3) Treat any bearer tokens that transited the gateway since deployment as potentially compromised — rotate them and audit for anomalous API usage from those credentials. 4) Restrict read access to production logs to the minimum necessary set of operators (RBAC), and ensure log storage/aggregation systems (S3, ELK, Splunk, etc.) aren't broadly readable. 5) If logs are forwarded to a SIEM, add field-level masking for Authorization headers and chat/message bodies. 6) Audit log retention — purge or redact historical logs that may already contain harvested tokens/PII.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 12 - Record-keeping
ISO 42001
A.6.2.6 - AI system logging and monitoring
NIST AI RMF
MANAGE 4.1 - Post-deployment monitoring for AI system risks
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-15574?

vllm-orchestrator-gateway's production binary writes every incoming Authorization header and full chat payload to persistent logs in plaintext, so any bearer token used to call the inference API and any PII or business-sensitive content in a conversation ends up sitting in a log file. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects that no privileges are needed to trigger the logging — every normal request poisons the logs — but actually harvesting the data requires a second step: read access to those logs, whether via an insider, a misconfigured log store, or a compromised log-aggregation host. There's no CISA KEV listing, no public exploit or Nuclei template, and EPSS data isn't available, so this isn't being mass-exploited today, but it's a textbook credential-harvesting and data-leakage primitive that turns any log-access compromise into an AI-service account takeover plus a PII/secrets breach. Patch to the fixed version per the Red Hat advisory, strip Authorization headers and payload bodies from logging middleware in the meantime, treat any tokens that may have transited this gateway as compromised and rotate them, and tighten RBAC on log storage and aggregation systems.

Is CVE-2026-15574 actively exploited?

No confirmed active exploitation of CVE-2026-15574 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-15574?

1) Patch vllm-orchestrator-gateway to the version referenced in the Red Hat advisory as soon as it's available in your environment. 2) Until patched, disable verbose/debug request logging or add middleware that redacts the Authorization header and request/response bodies before they hit persistent storage. 3) Treat any bearer tokens that transited the gateway since deployment as potentially compromised — rotate them and audit for anomalous API usage from those credentials. 4) Restrict read access to production logs to the minimum necessary set of operators (RBAC), and ensure log storage/aggregation systems (S3, ELK, Splunk, etc.) aren't broadly readable. 5) If logs are forwarded to a SIEM, add field-level masking for Authorization headers and chat/message bodies. 6) Audit log retention — purge or redact historical logs that may already contain harvested tokens/PII.

What systems are affected by CVE-2026-15574?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2026-15574?

CVE-2026-15574 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0036 Data from Information Repositories
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 12
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.

Exploitation Scenario

An attacker doesn't need to compromise the gateway itself — they target wherever its logs live. For example, a misconfigured log bucket, an over-permissioned logging/observability platform, or a compromised host that has log-read access. Once there, the attacker greps the logs for `Authorization:` headers to harvest live bearer tokens, then replays those tokens against the inference API to impersonate legitimate callers (users, agents, or integrated services) and consume the AI service under someone else's identity/quota. In parallel, they scrape the logged chat payloads for PII, internal business data, or RAG-retrieved confidential content, turning a logging misconfiguration into both a credential-theft incident and a data-privacy breach with regulatory notification implications.

Weaknesses (CWE)

CWE-538 — Insertion of Sensitive Information into Externally-Accessible File or Directory: The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

  • [Architecture and Design, Operation, System Configuration] Do not expose file and directory information to the user.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
July 13, 2026
Last Modified
July 13, 2026
First Seen
July 13, 2026

Related Vulnerabilities