What is the CVSS score of CVE-2026-54232?

CVE-2026-54232 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Which versions of vLLM are affected by CVE-2026-54232?

vLLM deployments running versions prior to 0.22.1 are vulnerable to remote code execution during Docker builds through a dependency confusion attack, allowing root-level code injection into…

How to fix or mitigate CVE-2026-54232?

Within 24 hours: Audit all vLLM instances, identify current versions in use, and disable automated Docker builds for versions prior to 0.22.1. Within 7 days: Upgrade all affected deployments to vLLM 0.22.1 or later and rebuild all container images with the patched version. Within 30 days: Implement supply chain security controls including PyPI package mirroring/proxying, dependency hash pinning in build pipelines, and network restrictions limiting build environments to approved registries only.

vLLM CVE-2026-54232

HIGH

Uncontrolled Search Path Element (CWE-427)

2026-06-22 GitHub_M

Docker RCE Vllm

8.8

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Attacker needs no privileges or auth - only a PyPI registration - but a victim must actually build the Dockerfile, hence UI:R; build-time root RCE yields full C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 22, 2026 - 23:01 vuln.today

DescriptionCVE.org

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.

Articles & Coverage 1

News 5 New Docker Vulnerabilities - 1 Critical, 4 High Severity Jun 23, 2026

AnalysisAI

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Delivery

Victim invokes vulnerable vLLM Docker build

Exploit

uv selects malicious PyPI wheel over vendor index

Install

Wheel install hook runs as root in build stage

Backdoor baked into container layer

Execute

Image deployed to production inference cluster

Impact

Exfiltrate prompts, API keys, and model data

Recon

Delivery

Victim invokes vulnerable vLLM Docker build

Exploit

uv selects malicious PyPI wheel over vendor index

Install

Wheel install hook runs as root in build stage

Backdoor baked into container layer

Execute

Image deployed to production inference cluster

Impact

Exfiltrate prompts, API keys, and model data

Vulnerability AssessmentAI

Exploitation	Requires (1) a victim building the vLLM Docker image from a vulnerable Dockerfile prior to 0.22.1 that sets UV_INDEX_STRATEGY=unsafe-best-match and installs flashinfer-jit-cache via --extra-index-url https://flashinfer.ai/whl/, and (2) the attacker having previously registered flashinfer-jit-cache on PyPI with a version string sorting higher than the legitimate vendor-index release (the description cites 0.6.11.post2). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) accurately captures that an unauthenticated network-borne supply-chain action (registering a PyPI name) yields full confidentiality, integrity, and availability loss once a victim builds the image. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers the name flashinfer-jit-cache on PyPI with version 0.6.11.post2 (higher than the legitimate vendor-index wheel) containing a malicious setup.py or wheel post-install hook. When a victim builds the official vLLM Docker image, uv resolves the higher PyPI version and executes the attacker's code as root during the build, installing a persistent backdoor that exfiltrates prompts, API credentials, and model artifacts from every container subsequently deployed from that image.
Remediation	Upgrade to vLLM 0.22.1, which removes the unsafe index strategy and/or pins flashinfer-jit-cache to a trusted source; this is the only complete fix and is documented in GHSA-jrf6-vqxq-pjv2 (https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all vLLM instances, identify current versions in use, and disable automated Docker builds for versions prior to 0.22.1. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-54352 CRITICAL Act Now

9.6 Jun 22

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builde

CVE-2026-12565 MEDIUM This Month POC

5.3 Jun 17

Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastruct

CVE-2026-56265 CRITICAL Act Now

9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to

CVE-2026-53755 HIGH This Week

8.6 Jun 16

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers

CVE-2026-54232 vulnerability details – vuln.today

Back

vLLM CVE-2026-54232

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code