CVE-2026-48746: vLLM: OpenAI auth bypass

June 16, 2026

A vulnerability in ASGI web servers and starlette’s trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec’s source code audit. It allows to use the API without providing the configured VLLM_API_KEY or --api-key.

References

github.com/advisories/GHSA-94f4-hr76-p5j6
github.com/vllm-project/vllm/pull/43426
github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6
nvd.nist.gov/vuln/detail/CVE-2026-48746
x41-dsec.de/lab/advisories/x41-2026-002-starlette

Code Behaviors & Features

Detect and mitigate CVE-2026-48746 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →