AI Threat Alert

CVE-2026-34753: vLLM: SSRF in batch API exposes cloud metadata endpoints

GHSA-pf3h-qjgv-vcpr MEDIUM
Published April 3, 2026
CISO Take

Any actor who can supply batch input JSON to vLLM can make the server issue arbitrary HTTP requests to internal services, including cloud metadata endpoints (AWS IMDSv1, GCP metadata). In cloud-deployed environments this is a credential theft vector — stolen IAM credentials enable full lateral movement across the account. Patch to vLLM 0.19.0 immediately; if patching is delayed, enforce IMDSv2 on all vLLM hosts and lock down batch API access to trusted principals only.

What is the risk?

The CVSS score of 5.4 (Medium) materially understates real-world risk for cloud deployments. Exploitation requires no AI/ML knowledge — a single crafted JSONL line is sufficient, making this trivially accessible to low-sophistication attackers. vLLM is predominantly deployed on cloud infrastructure where instance metadata services are reachable by default. In AWS environments running IMDSv1, SSRF translates directly into IAM credential theft and potential full-account compromise. Risk classification: HIGH for cloud-hosted vLLM batch workloads; MEDIUM for on-premises deployments with network segmentation in place.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vllm pip >= 0.16.0, < 0.19.0 0.19.0
80.2K 127 dependents Pushed 3d ago 56% patched ~33d to patch Full package profile →

Do you use vllm? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 14% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A Low

What should I do?

5 steps

  1. PATCH

    Upgrade to vLLM 0.19.0 immediately — this release backports the domain allowlist pattern from MediaConnector into the batch runner.

  2. CLOUD HARDENING

    Enforce IMDSv2 (token-required mode) on all AWS EC2 instances hosting vLLM; this blocks SSRF-based credential theft from IMDSv1 even before patching.

  3. NETWORK EGRESS

    Add host-level egress rules blocking access from vLLM processes to 169.254.169.254, metadata.google.internal, 100.100.100.200 (Alibaba Cloud), and all RFC-1918 ranges unless explicitly required.

  4. ACCESS CONTROL

    Treat batch input as an attack surface — restrict who can submit batch jobs via IAM policies, API gateway auth, or job queue ACLs.

  5. DETECT

    Alert on outbound HTTP from vLLM processes to metadata IPs, internal ranges, or non-whitelisted domains; query patterns targeting IMDS paths (/latest/meta-data/iam) are a strong signal.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Inference AML.T0037 AML.T0040 AML.T0049 AML.T0055 AML.T0075

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI system design and development
NIST AI RMF
MANAGE-2.2 - Mechanisms for managing AI risks throughout the lifecycle
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-34753?

Any actor who can supply batch input JSON to vLLM can make the server issue arbitrary HTTP requests to internal services, including cloud metadata endpoints (AWS IMDSv1, GCP metadata). In cloud-deployed environments this is a credential theft vector — stolen IAM credentials enable full lateral movement across the account. Patch to vLLM 0.19.0 immediately; if patching is delayed, enforce IMDSv2 on all vLLM hosts and lock down batch API access to trusted principals only.

Is CVE-2026-34753 actively exploited?

No confirmed active exploitation of CVE-2026-34753 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34753?

1. PATCH: Upgrade to vLLM 0.19.0 immediately — this release backports the domain allowlist pattern from MediaConnector into the batch runner. 2. CLOUD HARDENING: Enforce IMDSv2 (token-required mode) on all AWS EC2 instances hosting vLLM; this blocks SSRF-based credential theft from IMDSv1 even before patching. 3. NETWORK EGRESS: Add host-level egress rules blocking access from vLLM processes to 169.254.169.254, metadata.google.internal, 100.100.100.200 (Alibaba Cloud), and all RFC-1918 ranges unless explicitly required. 4. ACCESS CONTROL: Treat batch input as an attack surface — restrict who can submit batch jobs via IAM policies, API gateway auth, or job queue ACLs. 5. DETECT: Alert on outbound HTTP from vLLM processes to metadata IPs, internal ranges, or non-whitelisted domains; query patterns targeting IMDS paths (/latest/meta-data/iam) are a strong signal.

What systems are affected by CVE-2026-34753?

This vulnerability affects the following AI/ML architecture patterns: batch inference pipelines, model serving, audio transcription and translation services, cloud-hosted LLM inference infrastructure, LLMOps platforms using vLLM batch mode.

What is the CVSS score for CVE-2026-34753?

CVE-2026-34753 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.

Exploitation Scenario

An attacker with access to the vLLM batch endpoint crafts a JSONL file where the file_url field of an audio transcription request points to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The batch runner calls download_bytes_from_url() with no validation and makes a GET request to the AWS IMDS endpoint. The JSON response containing temporary IAM role credentials (AccessKeyId, SecretAccessKey, Token) is returned as raw bytes to the attacker. With those credentials the attacker enumerates S3 buckets, accesses training datasets or model artifacts, and potentially pivots to other AWS services in scope for that IAM role. In shared inference platforms or managed LLMOps environments, this represents a complete tenant isolation failure with cloud-wide blast radius.

Weaknesses (CWE)

CWE-918 Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

Timeline

Published
April 3, 2026
Last Modified
April 7, 2026
First Seen
April 4, 2026

Related Vulnerabilities

CRITICAL CVE-2024-9053 9.8

vllm: RCE via unsafe pickle deserialization in RPC server

Same package: vllm
CRITICAL CVE-2024-11041 9.8

vllm: RCE via unsafe pickle deserialization in MessageQueue

Same package: vllm
CRITICAL CVE-2025-47277 9.8

vLLM: RCE via exposed TCPStore in distributed inference

Same package: vllm
CRITICAL CVE-2026-25960 9.8

vllm: SSRF allows internal network access

Same package: vllm
CRITICAL CVE-2025-32444 9.8

vLLM: RCE via pickle deserialization on ZeroMQ

Same package: vllm
Back to Threat Feed