CVE-2026-15574

HIGH

Vllm-orchestrator-gateway: vllm-orchestrator-gateway: authorization header and full chat payloads logged at hard-coded debug default

Title source: cna
STIX 2.1

Description

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.

References (2)

Core 2
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-15574
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2499594
https://bugzilla.redhat.com/show_bug.cgi?id=2499594

Scores

CVSS v3 7.5
EPSS 0.0026
EPSS Percentile 17.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-538
Status published
Products (1)
Red Hat/Red Hat OpenShift AI (RHOAI)
Published Jul 13, 2026
Tracked Since Jul 13, 2026