Critical vLLM Multimodal Endpoint Flaw Enables Pre-Auth Remote Code Execution via Malicious Video
CVE-2026-22778 is a critical vulnerability in vLLM (an LLM inference/serving engine) that can enable remote code execution (RCE) when a server processes attacker-supplied multimodal content (e.g., a crafted video/image payload). The issue stems from vLLM returning a PIL error to the client when an invalid image is submitted to a multimodal endpoint, which leaks a heap address and dramatically weakens ASLR (reported as reducing brute-force from billions of guesses to ~8). This information disclosure can then be chained with a heap overflow in the JPEG2000 decoder within bundled OpenCV/FFmpeg components to hijack execution flow and run arbitrary commands on the host.
Operational risk is elevated because many default vLLM deployments (including common pip/Docker installs) may be exposed without authentication, and reporting indicates exploitation may still be possible pre-auth even when API keys are enabled (via an “invocations” route). The vulnerability affects versions 0.8.3 through < 0.14.1 and is fixed in vLLM 0.14.1; remediation should prioritize upgrading to >= 0.14.1 and reviewing exposure of multimodal endpoints, especially any internet-accessible instances.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting details pre-auth RCE risk in video-model deployments
Public coverage described CVE-2026-22778 as a critical CVSS 9.8 flaw that could allow pre-auth remote code execution in some default or invocations-route vLLM deployments serving video models. The reporting clarified that text-only model serving was not affected and urged administrators to upgrade to vLLM 0.14.1 or later.
vLLM 0.14.1 released to fix CVE-2026-22778
The issue was fixed in vLLM version 0.14.1, which remediates the heap address disclosure affecting multimodal and video-serving deployments. References cited for the fix include the v0.14.1 release tag, related GitHub pull requests, and a GitHub Security Advisory.
vLLM vulnerability enables heap address leak via invalid image errors
A vulnerability later assigned CVE-2026-22778 was identified in vLLM versions 0.8.3 through before 0.14.1, where sending an invalid image to a multimodal endpoint causes a PIL error to leak a heap address. The leak significantly reduces ASLR entropy and can be chained with a JPEG2000 decoder heap overflow in bundled OpenCV/FFmpeg components for possible remote code execution.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
Mar 27, 2026
LMDeploy SSRF Was Exploited Within Hours as LiteLLM Proxy Disclosed RCE Chain
Attackers began exploiting **CVE-2026-33626** in LMDeploy less than 13 hours after public disclosure, using a server-side request forgery flaw in vision-language request handling to make inference servers fetch attacker-controlled and internal URLs. Sysdig said the bug affects LMDeploy `0.12.0` and earlier with vision-language support, where `image_url` input is not properly restricted, and observed an eight-minute attack against its honeypot that probed AWS instance metadata, localhost services, an unauthenticated administrative endpoint, and an out-of-band callback domain. The activity included scans of loopback ports associated with **Redis**, **MySQL**, and HTTP services, underscoring the risk of exposing AI inference infrastructure to internal network discovery and cloud credential theft. The disclosures also highlighted broader weaknesses in LLM-serving platforms. LiteLLM published three advisories for LiteLLM Proxy that researchers said can be chained to achieve **remote code execution**, including an unauthenticated SQL injection (`GHSA-r75f-5x8p-qvmc`), a server-side template injection flaw, and an authenticated command-execution issue in MCP stdio test endpoints. The affected LiteLLM range is `1.81.16` through `1.83.6`, with fixes available in `1.83.7-stable` and later, while LMDeploy users were urged to upgrade to `v0.12.3+`, enforce **IMDSv2**, restrict egress, rotate IAM credentials, and monitor inference hosts for requests to metadata, loopback, and private-network addresses.
Apr 24, 2026
Two High-Severity Buffer Overflow Flaws Disclosed in LinkingVision rapidvms
Two high-severity vulnerabilities, **CVE-2026-33848** and **CVE-2026-33849**, were disclosed in **LinkingVision rapidvms**, both classified as **CWE-119** improper restriction of operations within the bounds of a memory buffer. The flaws affect **rapidvms versions before `PR#96`** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating network-reachable exploitation with low attack complexity, no required privileges, user interaction, and potential for high impact across confidentiality, integrity, and availability. Both CVE records point to **GitHub pull request `#96`** in the `linkingvision/rapidvms` repository as the referenced fix or related remediation. Organizations running vulnerable rapidvms builds should review the changes in that pull request, identify any exposed instances, and prioritize upgrading or patching affected systems because successful exploitation could lead to severe compromise of the video management platform.
Mar 24, 2026