AI Threat Alert

CVE-2026-25960: vllm: SSRF allows internal network access

GHSA-v359-jj2v-j536 CRITICAL PoC AVAILABLE
Published March 9, 2026
CISO Take

CVE-2026-25960 is a critical SSRF bypass in vLLM that allows unauthenticated attackers to pivot from your LLM inference server to internal cloud metadata services, internal APIs, and adjacent infrastructure — with no credentials required. The original CVE-2026-24779 fix is confirmed ineffective due to URL parser inconsistency between urllib3 (validation) and aiohttp/yarl (execution), meaning any organization that patched the original vuln is still exposed. Upgrade to the patched version immediately and treat this as an active incident if your vLLM instances run in cloud environments where IMDS credential theft is a realistic pivot.

What is the risk?

Critical. CVSS 9.8 with network-accessible, unauthenticated, zero-interaction attack vector. vLLM is the dominant open-source LLM serving engine widely deployed in enterprise AI stacks, significantly broadening the blast radius. The bypass nature of this CVE compounds risk: attackers who already developed tooling for CVE-2026-24779 can likely adapt it trivially. Cloud-hosted vLLM deployments are highest priority — SSRF to instance metadata services (AWS IMDS, GCP metadata, Azure IMDS) converts this into a credential theft and lateral movement vulnerability. Exploitation is low-complexity given the existing public disclosure and patch diff.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vLLM pip No patch
83.4K 130 dependents Pushed 3d ago 34% patched ~32d to patch Full package profile →
vLLM pip >= 0.15.1, < 0.17.0 0.17.0
83.4K 130 dependents Pushed 3d ago 34% patched ~32d to patch Full package profile →

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade vLLM to the version containing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 — verify your version is beyond 0.17.0 where the fix is confirmed.

  2. WORKAROUND

    If immediate patching is blocked, disable remote URL loading functionality at the application config level and block it at the API gateway layer.

  3. NETWORK EGRESS

    Implement strict egress filtering on all vLLM hosts — block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback from outbound HTTP/HTTPS.

  4. IMDS HARDENING

    Enforce IMDSv2 session tokens (AWS), disable legacy metadata API (GCP), or apply equivalent controls on Azure to limit SSRF-based credential theft even if SSRF is triggered.

  5. DETECT

    Alert on outbound HTTP from vLLM process to internal IP ranges, metadata service IPs (169.254.169.254, 100.64.0.1), or any non-approved external hosts.

  6. AUDIT

    If CVE-2026-24779 was previously marked remediated in your vulnerability tracker, reopen it — the fix is bypassed and the risk is unresolved.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Code Execution Inference RAG Agent AML.T0010.001 AML.T0025 AML.T0035 AML.T0040 AML.T0049 AML.T0055 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security Clause 8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-25960?

CVE-2026-25960 is a critical SSRF bypass in vLLM that allows unauthenticated attackers to pivot from your LLM inference server to internal cloud metadata services, internal APIs, and adjacent infrastructure — with no credentials required. The original CVE-2026-24779 fix is confirmed ineffective due to URL parser inconsistency between urllib3 (validation) and aiohttp/yarl (execution), meaning any organization that patched the original vuln is still exposed. Upgrade to the patched version immediately and treat this as an active incident if your vLLM instances run in cloud environments where IMDS credential theft is a realistic pivot.

Is CVE-2026-25960 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-25960, increasing the risk of exploitation.

How to fix CVE-2026-25960?

1. PATCH: Upgrade vLLM to the version containing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 — verify your version is beyond 0.17.0 where the fix is confirmed. 2. WORKAROUND: If immediate patching is blocked, disable remote URL loading functionality at the application config level and block it at the API gateway layer. 3. NETWORK EGRESS: Implement strict egress filtering on all vLLM hosts — block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback from outbound HTTP/HTTPS. 4. IMDS HARDENING: Enforce IMDSv2 session tokens (AWS), disable legacy metadata API (GCP), or apply equivalent controls on Azure to limit SSRF-based credential theft even if SSRF is triggered. 5. DETECT: Alert on outbound HTTP from vLLM process to internal IP ranges, metadata service IPs (169.254.169.254, 100.64.0.1), or any non-approved external hosts. 6. AUDIT: If CVE-2026-24779 was previously marked remediated in your vulnerability tracker, reopen it — the fix is bypassed and the risk is unresolved.

What systems are affected by CVE-2026-25960?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference APIs, cloud-hosted AI infrastructure, RAG pipelines, agent frameworks, AI training pipelines, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-25960?

CVE-2026-25960 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

model servingLLM inference APIscloud-hosted AI infrastructureRAG pipelinesagent frameworksAI training pipelinesmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: A.6.2.6, Clause 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05, LLM06, LLM07

What are the technical details?

Original Advisory

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

Exploitation Scenario

An adversary identifies an organization running vLLM 0.17.0 via exposed API endpoint fingerprinting or job posting metadata. They craft a URL using URL encoding tricks, IPv6 literals, or protocol-relative notation that passes urllib3.util.parse_url() hostname validation but resolves differently when yarl (aiohttp's internal parser) processes it — specifically redirecting to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on AWS. The request is submitted to the vLLM model loading API endpoint with no authentication. vLLM's load_from_url_async fetches the URL via aiohttp, receives AWS temporary IAM credentials, and the response is returned or logged. The attacker harvests the credentials, enumerates S3 buckets containing model weights and training data, and uses the IAM role to pivot deeper into the organization's AI infrastructure or broader AWS environment.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 9, 2026
Last Modified
March 18, 2026
First Seen
March 9, 2026

Related Vulnerabilities

CRITICAL CVE-2024-9053 9.8

vllm: RCE via unsafe pickle deserialization in RPC server

Same package: vllm
CRITICAL CVE-2025-32444 9.8

vLLM: RCE via pickle deserialization on ZeroMQ

Same package: vllm
CRITICAL CVE-2025-47277 9.8

vLLM: RCE via exposed TCPStore in distributed inference

Same package: vllm
CRITICAL CVE-2024-11041 9.8

vllm: RCE via unsafe pickle deserialization in MessageQueue

Same package: vllm
CRITICAL CVE-2026-22807 9.8

vllm: Code Injection enables RCE

Same package: vllm
Back to Threat Feed