CVE-2026-47155
published 2026-06-22CVE-2026-47155: vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all…
PriorityP337medium6.5CVSS 3.1
AVNACHPRNUINSUCLIHAN
EPSS
0.15%
4.3th percentile
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhaii | vllm-cpu-rhel9 | — | — |
| rhaii | vllm-cuda-rhel9 | — | — |
| rhaii | vllm-gaudi-rhel9 | — | — |
| rhaii | vllm-neuron-rhel9 | — | — |
| rhaii | vllm-rocm-rhel9 | — | — |
| rhaii | vllm-spyre-rhel9 | — | — |
| rhaii | vllm-tpu-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-cuda-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-rocm-rhel9 | — | — |
| rhaiis | vllm-spyre-rhel9 | — | — |
| rhaiis | vllm-tpu-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-rocm-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-gcp-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhoai | odh-vllm-gaudi-rhel9 | — | — |
| vllm-project | vllm | < 0.22.0 | 0.22.0 |
| vllm | vllm | < 0.22.0 | 0.22.0 |
| vllm | vllm | >= 0 < 0.22.0 | 0.22.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
ghsa·2026-06-10
CVE-2026-47155 [MEDIUM] CWE-345 vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
### Summary
vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies `--revision` or `--code-revision` can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision.
This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision.
### Details
The expected invariant is:
> When a vLLM operator supplies a model or code revision pin, every code, config, processor,
Red Hat
vllm: vLLM: Supply-chain integrity issue due to inconsistent revision pinning controls
vendor_redhat·2026-06-22·CVSS 6.5
CVE-2026-47155 [MEDIUM] CWE-829 vllm: vLLM: Supply-chain integrity issue due to inconsistent revision pinning controls
vllm: vLLM: Supply-chain integrity issue due to inconsistent revision pinning controls
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
A flaw was found in vLLM, an infer
No detection rules found.
No public exploits indexed.
2026-06-22
Published