CVE-2026-34753 Overview
CVE-2026-34753 is a server-side request forgery (SSRF) vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The flaw resides in the download_bytes_from_url function used by the vLLM batch runner. Versions from 0.16.0 up to (but not including) 0.19.0 accept attacker-controlled URLs in batch input JSON without validating the destination or restricting domains. An actor who can submit batch input can force the vLLM host to issue arbitrary HTTP/HTTPS requests. The vulnerability is fixed in vLLM 0.19.0 and is tracked under CWE-918.
Critical Impact
Attackers can pivot from batch input control to internal services reachable from the vLLM host, including cloud metadata endpoints and internal HTTP APIs.
Affected Products
- vLLM 0.16.0 through versions prior to 0.19.0
- Deployments exposing the vLLM batch runner to untrusted batch input JSON
- Hosted inference services built on vulnerable vLLM releases
Discovery Timeline
- 2026-04-06 - CVE-2026-34753 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-34753
Vulnerability Analysis
The vulnerability sits in vLLM's batch runner, which downloads payloads referenced inside batch input JSON. The download_bytes_from_url helper fetches the URL field directly without applying an allowlist, scheme filter, or host validation. Any caller who controls batch input can therefore direct the server to fetch arbitrary HTTP or HTTPS resources.
Because requests originate from the vLLM host, the attacker reaches network destinations that are not exposed externally. Typical targets include cloud instance metadata services such as http://169.254.169.254/, internal management APIs, and lateral HTTP endpoints inside the deployment VPC. Responses may be reflected to the attacker through batch output or used to enumerate internal infrastructure.
The issue is classified under CWE-918: Server-Side Request Forgery. Exploitation requires only low privileges — the ability to submit a batch job — and no user interaction. EPSS data places exploitation probability at 0.046%.
Root Cause
The root cause is missing input validation in download_bytes_from_url. The function trusts URL strings supplied by batch consumers and performs the network request without checking the scheme, resolving the hostname against a denylist of internal ranges, or restricting redirects.
Attack Vector
An authenticated batch submitter crafts a JSON document containing a URL pointing to an internal resource. When the vLLM batch runner processes the entry, it issues an HTTP request from the server context. The attacker observes returned content, response timing, or error behavior to extract data from the targeted endpoint. See the vLLM GitHub Security Advisory GHSA-pf3h-qjgv-vcpr for vendor technical detail.
Detection Methods for CVE-2026-34753
Indicators of Compromise
- Outbound HTTP/HTTPS connections from vLLM hosts to link-local addresses such as 169.254.169.254 or RFC1918 ranges that are not part of normal inference workflows.
- Batch input JSON containing URL fields that reference internal hostnames, loopback addresses, or cloud metadata endpoints.
- Unexpected entries in vLLM batch runner logs referencing download_bytes_from_url fetches to non-public destinations.
Detection Strategies
- Inspect batch input payloads for URL schemes and hosts; alert on any URL resolving to private, loopback, or link-local addresses.
- Correlate vLLM process network telemetry with batch job submissions to identify SSRF-style fetch patterns.
- Audit running vLLM versions across the fleet and flag any installation between 0.16.0 and 0.18.x inclusive.
Monitoring Recommendations
- Capture egress flow logs from inference hosts and route them to a centralized analytics platform for anomaly review.
- Monitor cloud metadata service (IMDS) request counts per host; spikes from inference workers warrant investigation.
- Alert on batch jobs that produce HTTP fetches with non-2xx responses to internal addresses, which often indicate reconnaissance.
How to Mitigate CVE-2026-34753
Immediate Actions Required
- Upgrade vLLM to version 0.19.0 or later, where download_bytes_from_url performs URL validation.
- Restrict who can submit batch input JSON to the vLLM batch runner using authentication and network segmentation.
- Enforce IMDSv2 with hop-limit 1 on AWS hosts to prevent SSRF-based metadata theft.
Patch Information
The vulnerability is fixed in vLLM 0.19.0. See the vLLM GitHub Security Advisory GHSA-pf3h-qjgv-vcpr for the patched commit and release notes.
Workarounds
- Place vLLM hosts behind an egress proxy that blocks requests to internal, loopback, and link-local address ranges.
- Pre-validate batch input JSON in an upstream service, rejecting any URL whose host resolves to a private network.
- Run the vLLM batch runner in a network namespace with no route to cloud metadata services or internal management APIs.
# Configuration example: upgrade vLLM and verify version
pip install --upgrade "vllm>=0.19.0"
python -c "import vllm; print(vllm.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
