CVE-2026-15574: vLLM Gateway: logs leak bearer tokens & chat PII
HIGHvllm-orchestrator-gateway's production binary writes every incoming Authorization header and full chat payload to persistent logs in plaintext, so any bearer token used to call the inference API and any PII or business-sensitive content in a conversation ends up sitting in a log file. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects that no privileges are needed to trigger the logging — every normal request poisons the logs — but actually harvesting the data requires a second step: read access to those logs, whether via an insider, a misconfigured log store, or a compromised log-aggregation host. There's no CISA KEV listing, no public exploit or Nuclei template, and EPSS data isn't available, so this isn't being mass-exploited today, but it's a textbook credential-harvesting and data-leakage primitive that turns any log-access compromise into an AI-service account takeover plus a PII/secrets breach. Patch to the fixed version per the Red Hat advisory, strip Authorization headers and payload bodies from logging middleware in the meantime, treat any tokens that may have transited this gateway as compromised and rotate them, and tighten RBAC on log storage and aggregation systems.
What is the risk?
Confidentiality-only impact (C:H/I:N/A:N) with no authentication or user interaction required to trigger the flaw — every request through the gateway is logged in full, so the exposure surface grows with traffic volume. The realistic exploit path is two-stage: an attacker doesn't attack the gateway directly, they attack (or already have access to) whatever stores or aggregates its logs. That significantly narrows the population of viable adversaries to insiders, supply-chain actors with access to logging/observability infrastructure, or attackers who've already gained a foothold elsewhere and pivot to log storage. Package risk score is unscored (0/100, no dependent or scorecard data available) and this is not in CISA KEV, so there's no evidence of active exploitation — but the low technical bar for extracting value once log access exists, combined with the sensitivity of what's logged (bearer tokens + raw chat content), makes this a high-priority finding for any deployment handling regulated or confidential data.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch vllm-orchestrator-gateway to the version referenced in the Red Hat advisory as soon as it's available in your environment. 2) Until patched, disable verbose/debug request logging or add middleware that redacts the Authorization header and request/response bodies before they hit persistent storage. 3) Treat any bearer tokens that transited the gateway since deployment as potentially compromised — rotate them and audit for anomalous API usage from those credentials. 4) Restrict read access to production logs to the minimum necessary set of operators (RBAC), and ensure log storage/aggregation systems (S3, ELK, Splunk, etc.) aren't broadly readable. 5) If logs are forwarded to a SIEM, add field-level masking for Authorization headers and chat/message bodies. 6) Audit log retention — purge or redact historical logs that may already contain harvested tokens/PII.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-15574?
vllm-orchestrator-gateway's production binary writes every incoming Authorization header and full chat payload to persistent logs in plaintext, so any bearer token used to call the inference API and any PII or business-sensitive content in a conversation ends up sitting in a log file. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects that no privileges are needed to trigger the logging — every normal request poisons the logs — but actually harvesting the data requires a second step: read access to those logs, whether via an insider, a misconfigured log store, or a compromised log-aggregation host. There's no CISA KEV listing, no public exploit or Nuclei template, and EPSS data isn't available, so this isn't being mass-exploited today, but it's a textbook credential-harvesting and data-leakage primitive that turns any log-access compromise into an AI-service account takeover plus a PII/secrets breach. Patch to the fixed version per the Red Hat advisory, strip Authorization headers and payload bodies from logging middleware in the meantime, treat any tokens that may have transited this gateway as compromised and rotate them, and tighten RBAC on log storage and aggregation systems.
Is CVE-2026-15574 actively exploited?
No confirmed active exploitation of CVE-2026-15574 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-15574?
1) Patch vllm-orchestrator-gateway to the version referenced in the Red Hat advisory as soon as it's available in your environment. 2) Until patched, disable verbose/debug request logging or add middleware that redacts the Authorization header and request/response bodies before they hit persistent storage. 3) Treat any bearer tokens that transited the gateway since deployment as potentially compromised — rotate them and audit for anomalous API usage from those credentials. 4) Restrict read access to production logs to the minimum necessary set of operators (RBAC), and ensure log storage/aggregation systems (S3, ELK, Splunk, etc.) aren't broadly readable. 5) If logs are forwarded to a SIEM, add field-level masking for Authorization headers and chat/message bodies. 6) Audit log retention — purge or redact historical logs that may already contain harvested tokens/PII.
What systems are affected by CVE-2026-15574?
This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.
What is the CVSS score for CVE-2026-15574?
CVE-2026-15574 has a CVSS v3.1 base score of 7.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0036 Data from Information Repositories AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.
Exploitation Scenario
An attacker doesn't need to compromise the gateway itself — they target wherever its logs live. For example, a misconfigured log bucket, an over-permissioned logging/observability platform, or a compromised host that has log-read access. Once there, the attacker greps the logs for `Authorization:` headers to harvest live bearer tokens, then replays those tokens against the inference API to impersonate legitimate callers (users, agents, or integrated services) and consume the AI service under someone else's identity/quota. In parallel, they scrape the logged chat payloads for PII, internal business data, or RAG-retrieved confidential content, turning a logging misconfiguration into both a credential-theft incident and a data-privacy breach with regulatory notification implications.
Weaknesses (CWE)
CWE-538 — Insertion of Sensitive Information into Externally-Accessible File or Directory: The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
- [Architecture and Design, Operation, System Configuration] Do not expose file and directory information to the user.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Data Leakage CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same attack type: Data Leakage CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Privacy Violation CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Leakage CVE-2026-46695 10.0 Boxlite: read-only bypass enables host code execution
Same attack type: Data Leakage