CVE-2026-34753

Name of the Vulnerable Software and Affected Versions vLLM versions 0.16.0 through 0.18.99

Description vLLM, an inference and serving engine for large language models, contains a server-side request forgery (SSRF) flaw in the download bytes from url function. This allows an attacker who can control the batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. The vulnerability resides in the run batch.py file, specifically within the download bytes from url function, which directly calls session.get(url) on a URL provided in the batch input JSON. The file url parameter within BatchTranscriptionRequest and BatchTranslationRequest is vulnerable, as it lacks domain, IP, or port restrictions. This can be exploited to target internal services reachable from the vLLM host.

Recommendations Update to vLLM version 0.19.0 or later.