CVE-2026-24779 – A Server-Side Request Forgery (SSRF) vulnerabil... (How to Fix)

📋 TL;DR

A Server-Side Request Forgery (SSRF) vulnerability in vLLM's MediaConnector class allows attackers to bypass host restrictions and make the server send requests to internal network resources. This affects vLLM versions before 0.14.1 with multimodal features enabled. The vulnerability is particularly dangerous in containerized environments where it could enable internal network scanning and interaction with other services.

💻 Affected Systems

Products:

vLLM

Versions: All versions prior to 0.14.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires multimodal features to be enabled and MediaConnector functionality to be used.

📦 What is this software?

Vllm by Vllm

View all CVEs affecting Vllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full access to internal network resources, compromises other pods/services, exfiltrates sensitive data, and causes denial of service through malicious requests to management endpoints.

🟠

Likely Case

Internal network reconnaissance, unauthorized access to internal services, potential data exposure from other pods, and system instability through false metric reporting.

🟢

If Mitigated

Limited to unsuccessful SSRF attempts if proper network segmentation and input validation are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted URLs with backslashes to bypass host restrictions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.1

Vendor Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc

Restart Required: Yes

Instructions:

1. Update vLLM to version 0.14.1 or later using pip: pip install --upgrade vllm>=0.14.1
2. Restart all vLLM services
3. Verify the patch is applied by checking the version

🔧 Temporary Workarounds

Disable MediaConnector functionality

all

Disable the vulnerable MediaConnector feature if not required

Configure vLLM to not use multimodal features or MediaConnector

Network segmentation

all

Restrict vLLM pod network access to only required services

Apply network policies to limit vLLM pod egress traffic

🧯 If You Can't Patch

Implement strict input validation and URL sanitization for MediaConnector inputs
Deploy network-level controls to restrict vLLM pod access to internal resources

🔍 How to Verify

Check if Vulnerable:

Check if vLLM version is below 0.14.1 and multimodal features are enabled

Check Version:

python -c "import vllm; print(vllm.__version__)"

Verify Fix Applied:

Confirm vLLM version is 0.14.1 or higher and test MediaConnector with malicious URLs containing backslashes

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns with backslashes in MediaConnector requests
Requests to internal IP addresses from vLLM pods
Failed SSRF attempts in application logs

Network Indicators:

vLLM pods making unexpected outbound connections to internal services
Traffic to non-whitelisted internal endpoints

SIEM Query:

source="vllm" AND (url="*\\*" OR dest_ip=10.* OR dest_ip=192.168.* OR dest_ip=172.16.*)

📊 Metadata

CVE ID: CVE-2026-24779

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-918

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: January 27, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7 Patch
https://github.com/vllm-project/vllm/pull/32746 Issue Tracking,Patch
https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24779, you might also want to check these: