CVE-2026-24779
Published: 27 January 2026
Summary
CVE-2026-24779 is a high-severity SSRF (CWE-918) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24779 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting vLLM, an inference and serving engine for large language models (LLMs), specifically in the MediaConnector class within its multimodal feature set prior to version 0.14.1. The issue arises in the load_from_url and load_from_url_async methods, which process user-provided URLs for media loading and apply host restrictions using different Python parsing libraries. These libraries interpret backslashes differently, enabling attackers to bypass the host restriction and force the vLLM server to make unintended requests.
Attackers with low privileges (PR:L) who can supply malicious URLs to the affected methods can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the vLLM server to be coerced into issuing arbitrary requests to internal network resources, with a CVSS v3.1 base score of 7.1 (C:H/I:N/A:L). This is especially severe in containerized deployments like llm-d, where a compromised vLLM pod could scan the internal network, interact with other pods, access sensitive data, or cause denial of service—for instance, by sending malicious requests to an llm-d management endpoint that falsely reports metrics like KV cache state, leading to system instability.
The vLLM project addressed this in version 0.14.1 via a patch detailed in GitHub commit f46d576c54fb8aeec5fc70560e850bed38ef17d7 and pull request #32746, with full advisory information available at GHSA-qh4c-xf7m-gxfc. Security practitioners should upgrade to v0.14.1 or later to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4711
Vulnerability details
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain…
more
and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm, llms, vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing vLLM server directly enables T1190 exploitation; description explicitly states resulting internal network scanning (T1046) and DoS against management endpoints (T1499).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces policy-based restrictions on information flows so that user-supplied URLs cannot cause the server to issue arbitrary requests to internal hosts.
Requires validation and sanitization of URL inputs in load_from_url methods to block malformed or backslash-encoded host bypasses.
Implements boundary protections that can deny or monitor outbound connections from the vLLM pod to internal network endpoints.