CVE-2026-9540 MEDIUM

CVE-2026-9540: vllm-project vllm OpenAI-compatible Serving Path denial of service

Vendor Vllm-Project
Product vllm
Weakness CWE-404
Published May 26, 2026
Last update May 26, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 26, 2026 Record updated