Skip to main content

vLLM EUVDEUVD-2026-32979

| CVE-2026-4944 HIGH
Path Traversal (CWE-22)
2026-05-28 @huntr_ai GHSA-g57c-wgqx-8wx7
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 19:20 vuln.today

DescriptionCVE.org

vllm-project/vllm version 0.14.1 contains a vulnerability where the trust_remote_code=True parameter is hardcoded in two model implementation files (vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py). This bypasses the user's explicit --trust-remote-code=False setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.

AnalysisAI

Remote code execution in vLLM 0.14.1 occurs because trust_remote_code=True is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit --trust-remote-code=False safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.

Technical ContextAI

vLLM is a high-throughput inference and serving engine for LLMs that pulls model weights and config from the HuggingFace Hub. HuggingFace's from_pretrained loaders accept a trust_remote_code flag that, when True, executes arbitrary Python shipped inside the repository (custom modeling files) - this is the documented foot-gun the CLI flag --trust-remote-code=False is meant to suppress. In vllm 0.14.1 the files vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py pass trust_remote_code=True as a literal, bypassing the user-supplied setting. The CWE-22 (Path Traversal) classification is a poor fit for the described behavior, which is closer to CWE-94 (Code Injection) / CWE-1188 (Insecure Default Initialization); the underlying primitive is arbitrary Python execution from a remote repo, not directory traversal. CPE coverage in NVD is a wildcard against vllm-project/vllm with no version boundary published yet.

RemediationAI

No vendor-released patch identified at time of analysis; monitor the vllm-project/vllm GitHub repository and the huntr report at https://huntr.com/bounties/97f706f7-a852-49b2-a4eb-76811e611daf for a fixed release, and upgrade as soon as one beyond 0.14.1 is published that removes the hardcoded trust_remote_code=True in both files. As a compensating control, do not serve NemotronVL or KimiK25 architectures on 0.14.1 - switch to an alternative supported architecture or pin to a vllm version that does not contain these loaders. Where the model must be served, restrict model loading to a locally vetted on-disk copy (pre-download with huggingface-cli and pass a local path) so the loader cannot fetch an attacker-controlled configuration_*.py, and run vllm under a dedicated unprivileged service account in a container with no outbound network egress to HuggingFace once the model is cached; the trade-off is loss of dynamic model pulls and the operational overhead of mirroring. Locally patching the two files to honor the CLI flag is a viable stop-gap for self-built deployments but creates a fork that must be re-applied on every upgrade.

Share

EUVD-2026-32979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy