CVE-2026-25960 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2026-25960 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-25960, increasing the risk of exploitation.

Q: How to fix CVE-2026-25960?

1. PATCH: Upgrade vLLM to the version containing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 — verify your version is beyond 0.17.0 where the fix is confirmed. 2. WORKAROUND: If immediate patching is blocked, disable remote URL loading functionality at the application config level and block it at the API gateway layer. 3. NETWORK EGRESS: Implement strict egress filtering on all vLLM hosts — block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback from outbound HTTP/HTTPS. 4. IMDS HARDENING: Enforce IMDSv2 session tokens (AWS), disable legacy metadata API (GCP), or apply equivalent controls on Azure to limit SSRF-based credential theft even if SSRF is triggered. 5. DETECT: Alert on outbound HTTP from vLLM process to internal IP ranges, metadata service IPs (169.254.169.254, 100.64.0.1), or any non-approved external hosts. 6. AUDIT: If CVE-2026-24779 was previously marked remediated in your vulnerability tracker, reopen it — the fix is bypassed and the risk is unresolved.

Q: What systems are affected by CVE-2026-25960?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference APIs, cloud-hosted AI infrastructure, RAG pipelines, agent frameworks, AI training pipelines, multi-tenant AI platforms.

Q: What is the CVSS score for CVE-2026-25960?

CVE-2026-25960 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.02%.

CISO Take

CVE-2026-25960 is a critical SSRF bypass in vLLM that allows unauthenticated attackers to pivot from your LLM inference server to internal cloud metadata services, internal APIs, and adjacent infrastructure — with no credentials required. The original CVE-2026-24779 fix is confirmed ineffective due to URL parser inconsistency between urllib3 (validation) and aiohttp/yarl (execution), meaning any organization that patched the original vuln is still exposed. Upgrade to the patched version immediately and treat this as an active incident if your vLLM instances run in cloud environments where IMDS credential theft is a realistic pivot.

Risk Assessment

Critical. CVSS 9.8 with network-accessible, unauthenticated, zero-interaction attack vector. vLLM is the dominant open-source LLM serving engine widely deployed in enterprise AI stacks, significantly broadening the blast radius. The bypass nature of this CVE compounds risk: attackers who already developed tooling for CVE-2026-24779 can likely adapt it trivially. Cloud-hosted vLLM deployments are highest priority — SSRF to instance metadata services (AWS IMDS, GCP metadata, Azure IMDS) converts this into a credential theft and lateral movement vulnerability. Exploitation is low-complexity given the existing public disclosure and patch diff.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
vllm	pip	—	No patch
79.5K 127 dependents Pushed today 56% patched ~32d to patch Full package profile →
vllm	pip	>= 0.15.1, < 0.17.0	`0.17.0`
79.5K 127 dependents Pushed today 56% patched ~32d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade vLLM to the version containing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 — verify your version is beyond 0.17.0 where the fix is confirmed.
WORKAROUND

If immediate patching is blocked, disable remote URL loading functionality at the application config level and block it at the API gateway layer.
NETWORK EGRESS

Implement strict egress filtering on all vLLM hosts — block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback from outbound HTTP/HTTPS.
IMDS HARDENING

Enforce IMDSv2 session tokens (AWS), disable legacy metadata API (GCP), or apply equivalent controls on Azure to limit SSRF-based credential theft even if SSRF is triggered.
DETECT

Alert on outbound HTTP from vLLM process to internal IP ranges, metadata service IPs (169.254.169.254, 100.64.0.1), or any non-approved external hosts.
AUDIT

If CVE-2026-24779 was previously marked remediated in your vulnerability tracker, reopen it — the fix is bypassed and the risk is unresolved.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Code Execution Inference RAG Agent AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security Clause 8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-25960?

CVE-2026-25960 is a critical SSRF bypass in vLLM that allows unauthenticated attackers to pivot from your LLM inference server to internal cloud metadata services, internal APIs, and adjacent infrastructure — with no credentials required. The original CVE-2026-24779 fix is confirmed ineffective due to URL parser inconsistency between urllib3 (validation) and aiohttp/yarl (execution), meaning any organization that patched the original vuln is still exposed. Upgrade to the patched version immediately and treat this as an active incident if your vLLM instances run in cloud environments where IMDS credential theft is a realistic pivot.

Is CVE-2026-25960 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-25960, increasing the risk of exploitation.

How to fix CVE-2026-25960?

1. PATCH: Upgrade vLLM to the version containing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 — verify your version is beyond 0.17.0 where the fix is confirmed. 2. WORKAROUND: If immediate patching is blocked, disable remote URL loading functionality at the application config level and block it at the API gateway layer. 3. NETWORK EGRESS: Implement strict egress filtering on all vLLM hosts — block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback from outbound HTTP/HTTPS. 4. IMDS HARDENING: Enforce IMDSv2 session tokens (AWS), disable legacy metadata API (GCP), or apply equivalent controls on Azure to limit SSRF-based credential theft even if SSRF is triggered. 5. DETECT: Alert on outbound HTTP from vLLM process to internal IP ranges, metadata service IPs (169.254.169.254, 100.64.0.1), or any non-approved external hosts. 6. AUDIT: If CVE-2026-24779 was previously marked remediated in your vulnerability tracker, reopen it — the fix is bypassed and the risk is unresolved.

What systems are affected by CVE-2026-25960?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference APIs, cloud-hosted AI infrastructure, RAG pipelines, agent frameworks, AI training pipelines, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-25960?

CVE-2026-25960 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

Exploitation Scenario

An adversary identifies an organization running vLLM 0.17.0 via exposed API endpoint fingerprinting or job posting metadata. They craft a URL using URL encoding tricks, IPv6 literals, or protocol-relative notation that passes urllib3.util.parse_url() hostname validation but resolves differently when yarl (aiohttp's internal parser) processes it — specifically redirecting to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on AWS. The request is submitted to the vLLM model loading API endpoint with no authentication. vLLM's load_from_url_async fetches the URL via aiohttp, receives AWS temporary IAM credentials, and the response is returned or logged. The attacker harvests the credentials, enumerates S3 buckets containing model weights and training data, and uses the IAM role to pivot deeper into the organization's AI infrastructure or broader AWS environment.