Bug 2492122
| Summary: | CVE-2026-48746 python-starlette: vLLM: Critical authentication bypass allows unauthorized API access [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | python-starlette | Assignee: | Ben Beasley <code> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | epel10 | CC: | code, paul.wouters, rominf |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["d4a6286d-1dc1-448e-adc0-91f1896bbfeb"]} | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-06-24 09:27:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2173769, 2491581 | ||
|
Description
Avinash Hanwate
2026-06-24 08:19:52 UTC
Looking at https://github.com/vllm-project/vllm/security/advisories/GHSA-94f4-hr76-p5j6, this appears to be a bug in how the vllm software uses Starlette. There is no documented bug in Starlette, no proposed fix in Starlette, and vllm itself is not even packaged in either Fedora or EPEL. |