CVE-2026-34756: vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

April 3, 2026 (updated April 6, 2026)

A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue.

References

github.com/advisories/GHSA-3mwp-wvh9-7528
github.com/vllm-project/vllm
github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380
github.com/vllm-project/vllm/pull/37952
github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528
nvd.nist.gov/vuln/detail/CVE-2026-34756

Code Behaviors & Features

Detect and mitigate CVE-2026-34756 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →