CVE-2026-22807

vLLM affected by RCE via auto_map dynamic module loading during model initialization

CVSS 8.8 HIGHEPSS 0.5%CWE-94

In short

vLLM automatically loads and executes Python code from model files without verifying if they are trustworthy, allowing an attacker to run malicious code on the server when a model is loaded. This is dangerous because it happens automatically at startup, before the system is even ready to handle requests.

Technical detail

vLLM versions 0.10.1 through 0.13.x load Hugging Face auto_map dynamic modules during model initialization without enforcing trust_remote_code validation (CWE-94: Improper Control of Generation of Code). An attacker with control over the model repository path (local or remote) can inject arbitrary Python code that executes with server privileges at startup, before request handling begins, requiring no API access.

Summary generated and translated by AI from the official description.

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

vllm-project · vllm

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr