CVE-2026-27893
published 2026-03-27CVE-2026-27893: vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation…
PriorityP359high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.36%
68.3th percentile
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | >= 0.10.1 < 0.18.0 | 0.18.0 |
| vllm | vllm | >= 0.10.1 < 0.18.0 | 0.18.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
osv·2026-03-27·CVSS 8.8
CVE-2026-27893 [HIGH] vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
### Summary
Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.
### Details
**Affected files (latest main branch):**
1. `vllm/model_executor/models/nemotron_vl.py:430`
```python
vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)
```
2. vllm/model_executor/models/kimi_k25.py:177
```python
cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
```
Both pass a hardcoded trust_remote_code=True to
GHSA
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
ghsa·2026-03-27·CVSS 8.8
CVE-2026-27893 [HIGH] CWE-693 vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
### Summary
Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.
### Details
**Affected files (latest main branch):**
1. `vllm/model_executor/models/nemotron_vl.py:430`
```python
vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)
```
2. vllm/model_executor/models/kimi_k25.py:177
```python
cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
```
Both pass a hardcoded trust_remote_code=True to
Red Hat
vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting
vendor_redhat·2026-03-26·CVSS 8.8
CVE-2026-27893 [HIGH] CWE-501 vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting
vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). Two model implementation files hardcode `trust_remote_code=True` when loading sub-components. This bypasses the user's explicit `--trust-remote-code=False` security
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-34755 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34755 [HIGH] CVE-2026-34755 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34755 :
vLLM vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0.
Source : NVD
## 6.5
Score
Published April 6, 2026
Severity MEDIUM
CNA Scor
Wiz
CVE-2026-25960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25960 [HIGH] CVE-2026-25960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25960 :
vLLM vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
Source : NVD
## 9.8
Score
Published March 9, 2026
Severity CRITICAL
CNA Score 7.1
Affected Technologies
vLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Re
Wiz
CVE-2026-27893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27893 [HIGH] CVE-2026-27893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27893 :
Chainguard vulnerability analysis and mitigation
trust_remote_code=True
--trust-remote-code=False
Source : NVD
## 8.8
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Chainguard
vLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vllm
py3-vllm-cuda-12.4
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
pip Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Chainguard vulnerabilities:
CVE ID
Severity
Wiz
GHSA-mcmc-2m55-j8jj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-62164 [HIGH] GHSA-mcmc-2m55-j8jj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mcmc-2m55-j8jj :
vLLM vulnerability analysis and mitigation
## Summary
The fix here for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cause, so the DoS vulnerability remains when the feature is enabled.
## Details
vLLM's pending change attempts to fix the root cause, which is the missing sparse tensor validation. PyTorch (~v2.0) disables sparse tensor validation (specifically, sparse tensor invariants checks) by default for performance reasons. vLLM is adding the sparse tensor validation to ensure indices are valid, non-negative, and within bounds. These checks help catch malformed tensors.
## PoC
NA
## Impact
Current fix only added a flag to disable/enable prompt embeds, so by default, prompt embeds
Wiz
CVE-2026-34753 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34753 [HIGH] CVE-2026-34753 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34753 :
vLLM vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions.
This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
vLLM
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-34756 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34756 [HIGH] CVE-2026-34756 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34756 :
vLLM vulnerability analysis and mitigation
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.
Source : NVD
## 6.5
Score
Published April 6, 2026
Severity MEDIU
https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72https://github.com/vllm-project/vllm/pull/36192https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59https://access.redhat.com/errata/RHSA-2026:10140https://access.redhat.com/errata/RHSA-2026:10141https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:19724https://access.redhat.com/errata/RHSA-2026:19725https://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/errata/RHSA-2026:8746https://access.redhat.com/errata/RHSA-2026:8747https://access.redhat.com/errata/RHSA-2026:8748https://access.redhat.com/security/cve/CVE-2026-27893https://bugzilla.redhat.com/show_bug.cgi?id=2452055https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27893.json
2026-03-27
Published