CVE-2026-54234
vLLM Project · vLLM
A vulnerability in the vLLM inference engine allows unauthenticated attackers to trigger a denial-of-service via improper input validation of specified quantities.
Executive summary
An unauthenticated remote denial-of-service vulnerability exists in vLLM versions prior to 0.24.0, posing a significant risk to service availability.
Vulnerability
This vulnerability involves improper input validation and improper validation of specified quantities (CWE-20, CWE-1284), allowing an unauthenticated attacker to exhaust system resources and cause service disruption.
Business impact
The CVSS score of 7.5 indicates a high severity rating due to the ease of exploitation over a network with no authentication required. Successful exploitation results in system downtime for the inference engine, which could disrupt AI-driven business processes and downstream applications relying on the vLLM service.
Remediation
Immediate Action: Upgrade to vLLM version 0.24.0 or later immediately to incorporate the necessary input validation patches.
Proactive Monitoring: Monitor system resource metrics (CPU/Memory) and application logs for unusual spikes or error patterns indicative of resource exhaustion attacks.
Compensating Controls: Implement rate limiting and input size restrictions at the API gateway level to prevent malformed or excessively large requests from reaching the inference engine.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given that this vulnerability affects a core component of high-throughput inference engines and requires no authentication for exploitation, the risk to operational continuity is significant. Administrators should prioritize the deployment of the 0.24.0 update to ensure robust input handling and prevent denial-of-service conditions.