#VU124868 Server-Side Request Forgery (SSRF) in vLLM - CVE-2026-34753
Published: April 4, 2026
Vulnerability identifier: #VU124868
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34753
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
vLLM
vLLM
Software vendor:
vLLM
vLLM
Description
The vulnerability allows a remote user to make arbitrary HTTP requests from the server and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in download_bytes_from_url when processing batch input JSON containing a user-controlled file_url value. A remote user can supply a crafted file_url to make arbitrary HTTP requests from the server and disclose sensitive information.
The issue affects the batch runner path for BatchTranscriptionRequest and BatchTranslationRequest and may also impact availability by targeting reachable internal services.
Remediation
Install security update from vendor's website.