{"data":{"id":"21dee9d7-e35a-400b-81a3-cbd271b79b6e","title":"CVE-2026-6607: A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function api_generate","summary":"A vulnerability was found in lm-sys fastchat (a tool for running AI models) up to version 0.2.36 that allows attackers to consume excessive resources by exploiting the api_generate function in the Worker API Endpoint (the part of the software that handles requests from other programs). The attack can be done remotely over the internet, the vulnerability details have been publicly disclosed, and it may already be exploited.","solution":"Install the patch identified by commit c9e84b89c91d45191dc24466888de526fa04cf33. Note that commit ff66426 patched the api_generate function in base_model_worker.py but missed other entry points (other places in the code where the same issue occurs).","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-6607","publishedAt":"2026-04-20T05:16:16.190Z","cveId":"CVE-2026-6607","cweIds":["CWE-400","CWE-404"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["lm-sys fastchat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-20T05:16:16.190Z","capecIds":["CAPEC-125","CAPEC-130"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}