vLLM <= 0.23.0 – Anthropic Router Heap Address Information Leak (CVE-2026-54236)
Introduction As one of the most widely adopted open-source libraries for serving Large Language Models (LLMs), vLLM is celebrated for its high-performance inference capabilities and memory-efficient attention mechanisms. However, a critical vulnerability disclosed in June 2026—tracked as CVE-2026-54236—highlights a significant information disclosure flaw within vLLM’s Anthropic API compatibility layer and real-time WebSocket endpoints. This flaw allows unauthenticated remote attackers to leak