Input validation error in vLLM - CVE-2026-54234

 

Input validation error in vLLM - CVE-2026-54234

Published: July 2, 2026


Vulnerability identifier: #VU136792
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54234
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: vLLM
Affected software:
vLLM

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the speculative decoding path when handling overlapping public gRPC Generate and Abort requests. A remote attacker can send a specific overlapping request sequence to cause a denial of service.

In shared deployments, exploitation can crash the engine worker, abort concurrent requests, and prevent later requests from completing until the worker is restarted. The issue was reproduced on Qwen3 GPTQ.


How to mitigate CVE-2026-54234

Install security update from vendor's website.

Sources