CVE-2026-6607 | lm-sys fastchat up to 0.2.36 Worker API Endpoint api_generate resource consumption (Issue 3833)

VDB-358242 · SUBMIT #792227 · CVE-2026-6607 LM-SYS FASTCHAT UP TO 0.2.36 WORKER API ENDPOINT API_GENERATE RESOURCE CONSUMPTION HISTORYDIFFRELATEJSONXMLCTI Summaryinfo A vulnerability labeled as problematic has been found in lm-sys fastchat up to 0.2.36. Impacted is the function api_generate of the component Worker API Endpoint. The manipulation results in resource consumption. This vulnerability is reported as CVE-2026-6607. The attack can be launched remotely. Moreover, an exploit is present. A patch should be applied to remediate this issue. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points. Detailsinfo A vulnerability was found in lm-sys fastchat up to 0.2.36. It has been classified as problematic. Affected is the function api_generate of the component Worker API Endpoint. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. The advisory is available at github.com. This vulnerability is traded as CVE-2026-6607. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known. This vulnerability is assigned to T1499 by the MITRE ATT&CK project. The exploit is shared for download at gist.github.com. It is declared as proof-of-concept. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points. Applying the patch c9e84b89c91d45191dc24466888de526fa04cf33 is able to eliminate this problem. The bugfix is ready for download at github.com. Productinfo Type Chat Software Vendor lm-sys Name fastchat Version 0.2.0 0.2.1 0.2.2 0.2.3 0.2.4 0.2.5 0.2.6 0.2.7 0.2.8 0.2.9 0.2.10 0.2.11 0.2.12 0.2.13 0.2.14 0.2.15 0.2.16 0.2.17 0.2.18 0.2.19 0.2.20 0.2.21 0.2.22 0.2.23 0.2.24 0.2.25 0.2.26 0.2.27 0.2.28 0.2.29 0.2.30 0.2.31 0.2.32 0.2.33 0.2.34 0.2.35 0.2.36 License open-source Website Product: https://github.com/lm-sys/FastChat/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.3 VulDB Meta Temp Score: 4.8 VulDB Base Score: 5.3 VulDB Temp Score: 4.8 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Resource consumption CWE: CWE-400 / CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Access: Public Status: Proof-of-Concept Download: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: c9e84b89c91d45191dc24466888de526fa04cf33 Timelineinfo 04/19/2026 Advisory disclosed 04/19/2026 +0 days VulDB entry created 04/19/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: 3833 Status: Confirmed Confirmation: 🔒 CVE: CVE-2026-6607 (🔒) GCVE (CVE): GCVE-0-2026-6607 GCVE (VulDB): GCVE-100-358242 scip Labs: https://www.scip.ch/en/?labs.20161013 Entryinfo Created: 04/19/2026 18:04 Changes: 04/19/2026 18:04 (62) Complete: 🔍 Submitter: Eric-f Cache ID: 99:F67:101 Submitinfo Accepted Submit #792227: LM-Sys FastChat <= 0.2.36 Denial of Service (CWE-400) (by Eric-f) Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸