CVE-2026-34753: vLLM: SSRF in batch API exposes cloud metadata endpoints

GHSA-pf3h-qjgv-vcpr MEDIUM
Published April 3, 2026
CISO Take

Any actor who can supply batch input JSON to vLLM can make the server issue arbitrary HTTP requests to internal services, including cloud metadata endpoints (AWS IMDSv1, GCP metadata). In cloud-deployed environments this is a credential theft vector — stolen IAM credentials enable full lateral movement across the account. Patch to vLLM 0.19.0 immediately; if patching is delayed, enforce IMDSv2 on all vLLM hosts and lock down batch API access to trusted principals only.

What is the risk?

The CVSS score of 5.4 (Medium) materially understates real-world risk for cloud deployments. Exploitation requires no AI/ML knowledge — a single crafted JSONL line is sufficient, making this trivially accessible to low-sophistication attackers. vLLM is predominantly deployed on cloud infrastructure where instance metadata services are reachable by default. In AWS environments running IMDSv1, SSRF translates directly into IAM credential theft and potential full-account compromise. Risk classification: HIGH for cloud-hosted vLLM batch workloads; MEDIUM for on-premises deployments with network segmentation in place.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vLLM pip >= 0.16.0, < 0.19.0 0.19.0
84.6K 130 dependents Pushed 6d ago 23% patched ~51d to patch Full package profile →

Do you use vLLM? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 16% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A Low

What should I do?

5 steps
  1. PATCH

    Upgrade to vLLM 0.19.0 immediately — this release backports the domain allowlist pattern from MediaConnector into the batch runner.

  2. CLOUD HARDENING

    Enforce IMDSv2 (token-required mode) on all AWS EC2 instances hosting vLLM; this blocks SSRF-based credential theft from IMDSv1 even before patching.

  3. NETWORK EGRESS

    Add host-level egress rules blocking access from vLLM processes to 169.254.169.254, metadata.google.internal, 100.100.100.200 (Alibaba Cloud), and all RFC-1918 ranges unless explicitly required.

  4. ACCESS CONTROL

    Treat batch input as an attack surface — restrict who can submit batch jobs via IAM policies, API gateway auth, or job queue ACLs.

  5. DETECT

    Alert on outbound HTTP from vLLM processes to metadata IPs, internal ranges, or non-whitelisted domains; query patterns targeting IMDS paths (/latest/meta-data/iam) are a strong signal.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI system design and development
NIST AI RMF
MANAGE-2.2 - Mechanisms for managing AI risks throughout the lifecycle
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-34753?

Any actor who can supply batch input JSON to vLLM can make the server issue arbitrary HTTP requests to internal services, including cloud metadata endpoints (AWS IMDSv1, GCP metadata). In cloud-deployed environments this is a credential theft vector — stolen IAM credentials enable full lateral movement across the account. Patch to vLLM 0.19.0 immediately; if patching is delayed, enforce IMDSv2 on all vLLM hosts and lock down batch API access to trusted principals only.

Is CVE-2026-34753 actively exploited?

No confirmed active exploitation of CVE-2026-34753 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34753?

1. PATCH: Upgrade to vLLM 0.19.0 immediately — this release backports the domain allowlist pattern from MediaConnector into the batch runner. 2. CLOUD HARDENING: Enforce IMDSv2 (token-required mode) on all AWS EC2 instances hosting vLLM; this blocks SSRF-based credential theft from IMDSv1 even before patching. 3. NETWORK EGRESS: Add host-level egress rules blocking access from vLLM processes to 169.254.169.254, metadata.google.internal, 100.100.100.200 (Alibaba Cloud), and all RFC-1918 ranges unless explicitly required. 4. ACCESS CONTROL: Treat batch input as an attack surface — restrict who can submit batch jobs via IAM policies, API gateway auth, or job queue ACLs. 5. DETECT: Alert on outbound HTTP from vLLM processes to metadata IPs, internal ranges, or non-whitelisted domains; query patterns targeting IMDS paths (/latest/meta-data/iam) are a strong signal.

What systems are affected by CVE-2026-34753?

This vulnerability affects the following AI/ML architecture patterns: batch inference pipelines, model serving, audio transcription and translation services, cloud-hosted LLM inference infrastructure, LLMOps platforms using vLLM batch mode.

What is the CVSS score for CVE-2026-34753?

CVE-2026-34753 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

batch inference pipelinesmodel servingaudio transcription and translation servicescloud-hosted LLM inference infrastructureLLMOps platforms using vLLM batch mode

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.

Exploitation Scenario

An attacker with access to the vLLM batch endpoint crafts a JSONL file where the file_url field of an audio transcription request points to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The batch runner calls download_bytes_from_url() with no validation and makes a GET request to the AWS IMDS endpoint. The JSON response containing temporary IAM role credentials (AccessKeyId, SecretAccessKey, Token) is returned as raw bytes to the attacker. With those credentials the attacker enumerates S3 buckets, accesses training datasets or model artifacts, and potentially pivots to other AWS services in scope for that IAM role. In shared inference platforms or managed LLMOps environments, this represents a complete tenant isolation failure with cloud-wide blast radius.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Timeline

Published
April 3, 2026
Last Modified
April 7, 2026
First Seen
April 4, 2026

Related Vulnerabilities