12 matches found
CVE-2026-45349 Open WebUI: Broken Access Control for Completions API
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...
Open WebUI has Broken Access Control for Completions API
Summary Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. Details A user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of anoth...
CVE-2025-62164
A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bound...
CVE-2025-62164
The CVE affects vLLM (inference/serving engine) before 0.11.1, where the Completions API loads user-supplied prompt embeddings with torch.load() lacking proper validation. A PyTorch 2.8.0 change disables sparse-tensor invariants checks, allowing crafted tensors to bypass bounds checks and trigger...
CVE-2025-62164 VLLM deserialization vulnerability leading to DoS and potential RCE
vLLM is an inference and serving engine for large language models LLMs. From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash denial-of-service and potentially remote code execution RCE, exists in the Completions API endpoint. When processing user-supplied...
vLLM 缓冲区错误漏洞
vLLM is a vLLM open source high throughput and memory efficient inference and service engine for LLM. A buffer error vulnerability exists in vLLM versions 0.10.2 through prior to 0.11.1, which stems from the presence of a memory corruption in the Completions API endpoint that could lead to a cras...
vLLM deserialization vulnerability leading to DoS and potential RCE
Summary A memory corruption vulnerability that leading to a crash denial-of-service and potentially remote code execution RCE exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using...
EUVD-2024-2882
Malicious code in bioql PyPI...
vLLM denial of service vulnerability
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service...
CVE-2024-8768
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service...
CVE-2024-8768
CVE-2024-8768 affects the vLLM library: a completions API request with an empty prompt can crash the vLLM API server, causing a DoS. Public metrics show CVSS v3.1 base score 7.5 (Network assault vector, Low attack complexity, No privileges, No user interaction required, Availability impact High)....
CVE-2024-8768
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example...