Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
vLLM

vLLM Vendor Cyber Rating & Cyber Score

github.com

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs


vLLM A.I CyberSecurity Scoring

vLLM
Company Information
Website:https://github.com/vllm-project/vllm
Employees number:20
Number of followers:14,771
NAICS:5112
Industry Type:Software Development
Homepage:github.com
vLLM Risk Score (AI oriented)
Between 700 and 749
logo
vLLMSoftware Development
Updated:
27/05/2026
747/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
vLLM Global Score (TPRM)
xxxx
logo
vLLMSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

vLLM
vLLMModerate
Current Score
747Ba (MODERATE)
01000
1 incidents
-3 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
748Before Incident
JUNE 2026
748Before Incident
MAY 2026
750Before Incident
Vulnerability
27 May 2026vLLM
vLLM, FastAPI and Model Context Protocol: BadHost Vulnerability Exposes Sensitive AI Agent Server Endpoints to Attackers

Critical 'BadHost' Vulnerability in Starlette Exposes AI Applications to Unauthorized Access

747After Incident
CRITICAL-3
OBOVLLFAS1779892255
Critical "BadHost" Vulnerability in Starlette Exposes AI Applications to Unauthorized Access A severe security flaw, CVE-2026-48710 (BadHost), has been discovered in the Starlette web framework, putting thousands of AI-powered applications and API services at risk of exploitation. Identified by X41 D-Sec during an OSTIF-sponsored audit, the vulnerability allows attackers to manipulate HTTP request processing, potentially bypassing authentication and accessing restricted endpoints. The issue stems from improper sanitization of the HTTP Host header in earlier Starlette versions. By crafting malicious requests, attackers can alter the `request.url` object, tricking applications into misclassifying protected routes as legitimate. This enables the bypass of path-based authentication middleware, a common security measure in AI infrastructure, without requiring valid credentials. The impact is widespread, affecting FastAPI-based services, inference servers (vLLM, LiteLLM), Model Context Protocol (MCP) servers, OpenAI-compatible APIs, and custom AI frameworks. Many AI deployments rely on URL path validation for access control, making them particularly vulnerable. Exploitation could lead to unauthorized access to AI models, data exfiltration, or abuse of compute resources. Security researchers warn that exploitation is straightforward and does not require authentication, increasing the risk. Attackers could expose hidden endpoints, facilitate lateral movement in poorly segmented AI environments, or compromise sensitive data. A patch has been released in Starlette 1.0.1, and additional mitigations include strict Host header validation at the application and proxy levels and avoiding sole reliance on path-based access controls. Automated scanning tools, such as Nemesis, can help identify vulnerable deployments. The vulnerability highlights the growing security risks at the intersection of web frameworks and AI infrastructure, emphasizing the need for proactive patching and robust input validation as AI systems scale.
INCIDENT DETAILS -
TYPE
Vulnerability Exploitation
IMPACT
Data Compromised: Sensitive data, AI modelsSystems Affected: AI-powered applications, API services, inference servers (vLLM, LiteLLM), Model Context Protocol (MCP) servers, OpenAI-compatible APIs, custom AI frameworksOperational Impact: Unauthorized access to AI models, data exfiltration, abuse of compute resources
DATA BREACH
Type Of Data Compromised: AI models, sensitive dataSensitivity Of Data: HighData Exfiltration: Possible
APRIL 2026
750Before Incident
MARCH 2026
750Before Incident
FEBRUARY 2026
750Before Incident
JANUARY 2026
750Before Incident
DECEMBER 2025
750Before Incident
NOVEMBER 2025
750Before Incident
OCTOBER 2025
750Before Incident
SEPTEMBER 2025
750Before Incident
AUGUST 2025
750Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for vLLM ?
?
What was vLLM's A.I Rankiteo Cyber Score in June 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in May 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in April 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in March 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in February 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in January 2026 ?
?
What was vLLM's A.I Rankiteo Cyber Score in December 2025 ?
?
What was vLLM's A.I Rankiteo Cyber Score in November 2025 ?
?
What was vLLM's A.I Rankiteo Cyber Score in October 2025 ?
?
What was vLLM's A.I Rankiteo Cyber Score in September 2025 ?
?
What was vLLM's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on vLLM's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with vLLM ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view vLLM's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?