CVE-2026-22807
published 2026-01-21CVE-2026-22807: vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.74%
49.9th percentile
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | >= 0.10.1 < 0.14.0 | 0.14.0 |
| vllm | vllm | >= 0.10.1 < 0.14.0 | 0.14.0 |
| vllm | vllm | >= 0.10.1 < 0.18.0 | 0.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, enabling attacker-controlled Python code execution at server startup ↗
- →Exploitation occurs during model load, before any request handling and without requiring API access — monitor for unexpected process spawning or file writes during vLLM startup ↗
- →Attack vector is influence over the model repo/path (local directory or remote Hugging Face repo); audit model source paths and repository references supplied to vLLM ↗
- →Affected vLLM versions are 0.10.1 through 0.13.x; flag any deployment running these versions loading externally-sourced models ↗
- ·The `trust_remote_code` guard is NOT enforced for `auto_map` dynamic modules in affected versions — do not assume this flag protects against the attack vector until patched to 0.14.0 ↗
- ·Restrict vLLM model repository paths to trusted, verified sources and implement integrity checks; unauthorized modification of the model path is sufficient for exploitation ↗
- ·Multiple Red Hat container images are confirmed affected, including rhaiis/vllm-spyre-rhel9, rhaiis/vllm-tpu-rhel9, rhelai3/bootc-*-cuda-rhel9, rhoai/odh-vllm-cpu-rhel9, rhoai/odh-vllm-cuda-rhel9, and rhoai/odh-vllm-rocm-rhel9 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g57c-wgqx-8wx7: vllm-project/vllm version 0
ghsa_unreviewed·2026-05-28·CVSS 8.8
CVE-2026-4944 [HIGH] CWE-22 GHSA-g57c-wgqx-8wx7: vllm-project/vllm version 0
vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.
OSV
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
osv·2026-03-27·CVSS 8.8
CVE-2026-27893 [HIGH] vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
### Summary
Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.
### Details
**Affected files (latest main branch):**
1. `vllm/model_executor/models/nemotron_vl.py:430`
```python
vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)
```
2. vllm/model_executor/models/kimi_k25.py:177
```python
cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
```
Both pass a hardcoded trust_remote_code=True to
GHSA
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
ghsa·2026-03-27·CVSS 8.8
CVE-2026-27893 [HIGH] CWE-693 vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
### Summary
Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.
### Details
**Affected files (latest main branch):**
1. `vllm/model_executor/models/nemotron_vl.py:430`
```python
vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)
```
2. vllm/model_executor/models/kimi_k25.py:177
```python
cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
```
Both pass a hardcoded trust_remote_code=True to
GHSA
vLLM affected by RCE via auto_map dynamic module loading during model initialization
ghsa·2026-01-21
CVE-2026-22807 [HIGH] CWE-94 vLLM affected by RCE via auto_map dynamic module loading during model initialization
vLLM affected by RCE via auto_map dynamic module loading during model initialization
# Summary
vLLM loads Hugging Face `auto_map` dynamic modules during model resolution **without gating on `trust_remote_code`**, allowing attacker-controlled Python code in a model repo/path to execute at server startup.
---
# Impact
An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve **arbitrary code execution** on the vLLM host during model load.
This happens **before any request handling** and does **not require API access**.
---
# Affected Versions
All versions where `vllm/model_executor/models/registry.py` resolves `auto_map` entries with `try_get_class_from_dynamic_module` **without checking `trust_remote_code`** (at least current `main`)
OSV
vLLM affected by RCE via auto_map dynamic module loading during model initialization
osv·2026-01-21
CVE-2026-22807 [HIGH] vLLM affected by RCE via auto_map dynamic module loading during model initialization
vLLM affected by RCE via auto_map dynamic module loading during model initialization
# Summary
vLLM loads Hugging Face `auto_map` dynamic modules during model resolution **without gating on `trust_remote_code`**, allowing attacker-controlled Python code in a model repo/path to execute at server startup.
---
# Impact
An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve **arbitrary code execution** on the vLLM host during model load.
This happens **before any request handling** and does **not require API access**.
---
# Affected Versions
All versions where `vllm/model_executor/models/registry.py` resolves `auto_map` entries with `try_get_class_from_dynamic_module` **without checking `trust_remote_code`** (at least current `main`)
Red Hat
vLLM: vLLM: Arbitrary code execution via untrusted model loading
vendor_redhat·2026-01-21·CVSS 8.8
CVE-2026-22807 [HIGH] CWE-94 vLLM: vLLM: Arbitrary code execution via untrusted model loading
vLLM: vLLM: Arbitrary code execution via untrusted model loading
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability allows a re
No detection rules found.
No public exploits indexed.
https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5https://github.com/vllm-project/vllm/pull/32194https://github.com/vllm-project/vllm/releases/tag/v0.14.0https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmrhttps://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:30087https://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/errata/RHSA-2026:3461https://access.redhat.com/errata/RHSA-2026:3462https://access.redhat.com/errata/RHSA-2026:3713https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:5119https://access.redhat.com/security/cve/CVE-2026-22807https://bugzilla.redhat.com/show_bug.cgi?id=2431865https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22807.json
2026-01-21
Published