PatchSiren cyber security CVE debrief
CVE-2026-34756 vllm-project CVE debrief
CVE-2026-34756 is a Denial of Service vulnerability in the vLLM OpenAI-compatible API server. The vulnerability exists due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models. This allows an unauthenticated attacker to send a single HTTP request with an astronomically large n value, causing immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap. The vulnerability is fixed in version 0.19.0. Users of affected versions should update to 0.19.0 or later. In the meantime, defenders can monitor API server logs for suspiciously large n values and consider rate limiting on API requests.
- Vendor
- vllm-project
- Product
- vllm
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-06
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-06
- Advisory updated
- 2026-06-30
Who should care
Users of vLLM OpenAI-compatible API server versions from 0.1.0 to before 0.19.0 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.19.0 or later, monitoring API server logs for suspicious activity, and considering rate limiting on API requests. Organizations using affected versions in production should prioritize patching due to the potential for denial of service attacks.
Technical summary
The vulnerability in vLLM OpenAI-compatible API server versions from 0.1.0 to before 0.19.0 is caused by the lack of upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models. An unauthenticated attacker can exploit this by sending a single HTTP request with an extremely large n value. This causes the Python asyncio event loop to block completely and leads to immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. The CVSS score for this vulnerability is 6.5, with a severity rating of MEDIUM. The vulnerability is addressed in version 0.19.0.
Defensive priority
CVE-2026-34756 has a CVSS score of 6.5 and is rated as MEDIUM severity. Defenders should prioritize patching affected systems, as the vulnerability allows for denial of service attacks with a relatively simple HTTP request.
Recommended defensive actions
- Update vLLM OpenAI-compatible API server to version 0.19.0 or later
- Monitor API server logs for suspiciously large n values in requests
- Consider implementing rate limiting on API requests to mitigate potential attacks
- Review and adjust API server configurations to prevent exploitation
- Perform regular vulnerability scans to detect affected systems
Evidence notes
The CVE-2026-34756 vulnerability is documented in the official CVE record and NVD detail pages. Additional information is available from vendor references and source items provided. The vulnerability is caused by a lack of upper bound validation on the n parameter in certain Pydantic models, allowing for denial of service attacks. The vulnerability is addressed in version 0.19.0 of the vLLM OpenAI-compatible API server.
Official resources
-
CVE-2026-34756 CVE record
CVE.org
-
CVE-2026-34756 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.