CVE-2026-6607
lm-sys fastchat Worker API Endpoint api_generate resource consumption
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function api_generate of the component Worker API Endpoint. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is c9e84b89c91d45191dc24466888de526fa04cf33. It is suggested to install a patch to address this issue. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points.
| CWE | CWE-400 CWE-404 |
| Vendor | lm-sys |
| Product | fastchat |
| Published | Apr 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for lm-sys fastchat
Be the first to know when new medium vulnerabilities affecting lm-sys fastchat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
lm-sys / fastchat
0.2.0 0.2.1 0.2.2 0.2.3 0.2.4 0.2.5 0.2.6 0.2.7 0.2.8 0.2.9 0.2.10 0.2.11 0.2.12 0.2.13 0.2.14 0.2.15 0.2.16 0.2.17 0.2.18 0.2.19 0.2.20 0.2.21 0.2.22 0.2.23 0.2.24 0.2.25 0.2.26 0.2.27 0.2.28 0.2.29 0.2.30 0.2.31 0.2.32 0.2.33 0.2.34 0.2.35 0.2.36
References
vuldb.com: https://vuldb.com/vuln/358242 vuldb.com: https://vuldb.com/vuln/358242/cti vuldb.com: https://vuldb.com/submit/792227 github.com: https://github.com/lm-sys/FastChat/issues/3833 github.com: https://github.com/lm-sys/FastChat/pull/3835 gist.github.com: https://gist.github.com/YLChen-007/87216a2d97a882d619e11dc67cd473b5 github.com: https://github.com/lm-sys/FastChat/commit/c9e84b89c91d45191dc24466888de526fa04cf33 github.com: https://github.com/lm-sys/FastChat/
Credits
๐ Eric-f (VulDB User)