CVE-2026-34756

Name of the Vulnerable Software and Affected Versions vLLM versions 0.1.0 through 0.18.9

Description A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. The root cause lies in missing upper bound checks during request parsing and asynchronous scheduling. The vulnerability impacts any individual or organization hosting a public-facing vLLM API server and SaaS/AI-as-a-Service platforms acting as reverse proxies without strict HTTP body payload validation or rate limitations.

Recommendations Update to version 0.19.0 or later.