Live Active security incident? Get immediate response
CVE Record

CVE-2026-9540: vllm-project vllm OpenAI-compatible Serving Path denial of service

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

MediumCVSS 6.9Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take moderate

Analyst readout for executives and security teams

Plain-English summary

CVE-2026-9540 is a remotely reachable denial-of-service issue in vllm-project vLLM 0.19.0’s OpenAI-compatible serving path. A successful attack can disrupt model-serving availability. The sources say a public exploit exists and a fix pull request is pending, but they do not show confirmed active exploitation.

Executive priority

Prioritize if vLLM supports customer-facing or business-critical AI services. The issue appears availability-focused rather than data theft, but public exploit availability and pending fix status increase operational urgency for exposed deployments.

Technical view

The issue is reported as CWE-404 in unknown processing of the OpenAI-compatible Serving Path. CVSS v4.0 is 6.9 with network attack vector, low complexity, no privileges, no user interaction, and low availability impact. The fix is referenced as GitHub PR 37594, awaiting acceptance in the source bundle.

Likely exposure

Exposure is most likely where vLLM 0.19.0 is deployed with its OpenAI-compatible API reachable by untrusted users or the internet. Internal-only deployments still carry risk if many tenants, services, or users can send requests to the serving path.

Exploitation context

The bundle states the exploit is public and might be used. CISA KEV status is false, and the provided sources do not confirm active exploitation in the wild. Treat this as credible public-risk DoS exposure, not a confirmed campaign.

Researcher notes

Evidence is limited to public advisory metadata, issue tracking, and a pending pull request. The affected component is named, but root cause details and final patched version are not established in the provided bundle. Avoid assuming broader version impact beyond vLLM 0.19.0.

Mitigation direction

  • Inventory all vLLM deployments and identify version 0.19.0.
  • Restrict OpenAI-compatible API access to trusted networks or authenticated clients.
  • Apply gateway rate limits and resource controls where already available.
  • Monitor GitHub PR 37594 and vendor guidance for an accepted fix.
  • Deploy the vendor-approved fix or upgrade path when available.

Validation and detection

  • Confirm package, image, or deployment manifests for vLLM 0.19.0.
  • Map which OpenAI-compatible endpoints are reachable from untrusted networks.
  • Review logs and metrics for request spikes or availability degradation.
  • Track GitHub issue 37343 and PR 37594 for status changes.
  • Use only vendor-safe, non-production validation guidance.
Prepared
Confidence
medium
Sources
8

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-404: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9540 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Medium
CVSS
6.9 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4 CVSS vectors
6 Timeline events
1 ADP providers
8 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
6.9 CVSS 4.0 Medium CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P VulDB
5.3 CVSS 3.1 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R 3.9 1.4 VulDB
5.3 CVSS 3.0 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R 3.9 1.4 VulDB
5 CVSS 2.0 Medium AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR 10 2.9 VulDB

Vulnerability scoring details

Base CVSS 4.0 score

6.9 Medium
CVSS 4.0 vector shape for CVE-2026-9540 Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timeline VulDB

    Advisory disclosed

  2. Source timeline VulDB

    VulDB entry created

  3. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timeline VulDB

    VulDB entry last update

  5. CVE published CVE Program

    The CVE record was published.

  6. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
vllm-project vllm 0.19.0 Listed
Weakness

CWE details

CWE-404

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-404 · source CWE mapping

Improper Resource Shutdown or Release

Improper Resource Shutdown or Release represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs