Skip to main content

Vllm CVE-2026-27893

| EUVDEUVD-2026-16478 HIGH
Protection Mechanism Failure (CWE-693)
2026-03-27 security-advisories@github.com
8.8
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 00:22 euvd
EUVD-2026-16478
Analysis Generated
Mar 27, 2026 - 00:22 vuln.today
CVE Published
Mar 27, 2026 - 00:16 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on vllm (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.10.1.

DescriptionCVE.org

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.

AnalysisAI

Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.

Technical ContextAI

vLLM is a Python-based inference and serving engine optimized for large language models. The vulnerability stems from CWE-693 (Protection Mechanism Failure) where two model implementation files within the codebase contain hardcoded trust_remote_code=True parameters when invoking HuggingFace transformers' AutoModel.from_pretrained() or similar loading functions. This hardcoding occurs at the sub-component loading stage and bypasses the user-specified --trust-remote-code=False command-line flag that should propagate throughout the application. The trust_remote_code parameter in HuggingFace transformers controls whether arbitrary Python code embedded in model repositories (typically modeling.py files) can be executed during model loading. By forcing this to True regardless of user preference, the affected versions create a protection mechanism bypass that enables arbitrary code execution through malicious model configurations.

RemediationAI

Upgrade vLLM to version 0.18.0 or later, which contains the vendor-released patch that removes hardcoded trust_remote_code=True settings and properly respects user security preferences (see commit 00bd08edeee5dd4d4c13277c0114a464011acf72 at https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72 and pull request https://github.com/vllm-project/vllm/pull/36192). Until patching is completed, organizations should implement strict model repository allowlisting to only load models from trusted internal sources or verified external repositories, avoid loading models from user-supplied URLs or untrusted third parties, and consider implementing network segmentation to isolate systems running vulnerable vLLM versions from external network access. Review all model loading operations to ensure they originate from authenticated and authorized sources only.

More in Vllm

View all
CVE-2025-32444 CRITICAL POC
10.0 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0

CVE-2024-11041 CRITICAL POC
9.8 Mar 20

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev

CVE-2026-22778 CRITICAL POC
9.8 Feb 02

Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal

CVE-2025-30202 HIGH POC
7.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th

CVE-2026-24779 HIGH POC
7.1 Jan 27

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons

CVE-2025-46560 MEDIUM POC
6.5 Apr 30

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),

CVE-2026-22773 MEDIUM POC
6.5 Jan 10

Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).

CVE-2026-22807 CRITICAL
9.8 Jan 21

Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit

CVE-2026-25960 CRITICAL
9.8 Mar 09

Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i

CVE-2026-9540 MEDIUM POC
5.5 May 26

Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch

CVE-2025-29783 CRITICAL
9.0 Mar 19

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)

CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments

Vendor StatusVendor

Share

CVE-2026-27893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy