cbcvebase.
CVE-2026-22807
published 2026-01-21

CVE-2026-22807: vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.74%
49.9th percentile
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm
vllmvllm>= 0.10.1 < 0.14.00.14.0
vllmvllm>= 0.10.1 < 0.14.00.14.0
vllmvllm>= 0.10.1 < 0.18.00.18.0

Detection & IOCsextracted from sources · hover to see the quote

  • vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, enabling attacker-controlled Python code execution at server startup
  • Exploitation occurs during model load, before any request handling and without requiring API access — monitor for unexpected process spawning or file writes during vLLM startup
  • Attack vector is influence over the model repo/path (local directory or remote Hugging Face repo); audit model source paths and repository references supplied to vLLM
  • Affected vLLM versions are 0.10.1 through 0.13.x; flag any deployment running these versions loading externally-sourced models
  • ·The `trust_remote_code` guard is NOT enforced for `auto_map` dynamic modules in affected versions — do not assume this flag protects against the attack vector until patched to 0.14.0
  • ·Restrict vLLM model repository paths to trusted, verified sources and implement integrity checks; unauthorized modification of the model path is sufficient for exploitation
  • ·Multiple Red Hat container images are confirmed affected, including rhaiis/vllm-spyre-rhel9, rhaiis/vllm-tpu-rhel9, rhelai3/bootc-*-cuda-rhel9, rhoai/odh-vllm-cpu-rhel9, rhoai/odh-vllm-cuda-rhel9, and rhoai/odh-vllm-rocm-rhel9

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.