AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-34760: vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, L

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseApril 2, 2026CVE-2026-34760

Summary

vLLM versions 0.5.5 through 0.17.x have a bug where Librosa (a library that processes audio) uses a simple averaging method for mono downmixing (converting multi-channel audio to single-channel), but the international standard ITU-R BS.775-4 requires a weighted algorithm instead. This causes audio to sound different to humans than what AI models actually process, creating a mismatch in how the same audio is experienced.

Solution / Mitigation

This issue has been patched in version 0.18.0.

Vulnerability Details

CVSS Score

5.9(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

network

Attack Complexity

high

Privileges Required

low

User Interaction

none

Disclosure Date

April 2, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedInference

Taxonomy References

CWE (Weakness Type)

CWE-20

Affected Vendors

HuggingFace

Related Issues

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34760

First tracked: April 2, 2026 at 08:08 PM

Classified by LLM (prompt v3) · confidence: 75%