Cyber Posture

CVE-2026-24779

HighPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0002 5.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24779 is a high-severity SSRF (CWE-918) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

SC-7 Boundary Protection
addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

SI-10 Information Input Validation
addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

SI-4 System Monitoring
addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
attack.mitre.org →
Why these techniques?

SSRF in public-facing vLLM server directly enables T1190 exploitation; description explicitly states resulting internal network scanning (T1046) and DoS against management endpoints (T1499).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain…

more

and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.

Deeper analysisAI

CVE-2026-24779 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting vLLM, an inference and serving engine for large language models (LLMs), specifically in the MediaConnector class within its multimodal feature set prior to version 0.14.1. The issue arises in the load_from_url and load_from_url_async methods, which process user-provided URLs for media loading and apply host restrictions using different Python parsing libraries. These libraries interpret backslashes differently, enabling attackers to bypass the host restriction and force the vLLM server to make unintended requests.

Attackers with low privileges (PR:L) who can supply malicious URLs to the affected methods can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the vLLM server to be coerced into issuing arbitrary requests to internal network resources, with a CVSS v3.1 base score of 7.1 (C:H/I:N/A:L). This is especially severe in containerized deployments like llm-d, where a compromised vLLM pod could scan the internal network, interact with other pods, access sensitive data, or cause denial of service—for instance, by sending malicious requests to an llm-d management endpoint that falsely reports metrics like KV cache state, leading to system instability.

The vLLM project addressed this in version 0.14.1 via a patch detailed in GitHub commit f46d576c54fb8aeec5fc70560e850bed38ef17d7 and pull request #32746, with full advisory information available at GHSA-qh4c-xf7m-gxfc. Security practitioners should upgrade to v0.14.1 or later to mitigate the risk.

Details

CWE(s)
CWE-918

Affected Products

vllm
vllm
≤ 0.14.1

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, llm

CVEs Like This One

CVE-2026-25960Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2024-11041Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm

References