A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-15574 describes a critical logging vulnerability in the vllm-orchestrator-gateway component where production binaries indiscriminately log incoming authorization headers and complete chat payloads to persistent storage. This flaw exposes sensitive data including bearer tokens, API credentials, and user conversation content to any individual with logging access privileges. Organizations deploying this component are at immediate risk of credential compromise and PII disclosure, particularly those in AI/ML operations, customer service automation, and enterprise chat platforms where sensitive information regularly flows through the orchestrator.
While this CVE currently maps to zero MITRE ATT&CK techniques, Casky's security skills powered by Claude's extended reasoning would detect the underlying attack patterns associated with T1123 (Audio Capture), T1123 (Screen Capture), and more critically T1552 (Unsecured Credentials) and T1537 (Transfer Data to Cloud Account) by analyzing log access patterns and credential harvesting behavior. Practitioners using Casky would observe findings highlighting abnormal log file access requests, unusual combinations of logging privilege escalation followed by data exfiltration attempts, and patterns consistent with post-exploitation credential theft. The platform's ability to correlate behavioral signals across security events would identify attackers moving from initial access through credential extraction to lateral movement—even before ATT&CK mappings formally categorize this disclosure vector.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-15574. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation