Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.

INFO

Published Date :

2026-04-06T15:36:52.942Z

Last Modified :

2026-04-07T14:15:32.390Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34753 vulnerability.

Vendors Products
Vllm-project
  • Vllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34753.

URL Resource
https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-34753 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-34753 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact