PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22807 vllm-project CVE debrief

CVE-2026-22807 is a high-severity vulnerability in vLLM, an inference and serving engine for large language models. The vulnerability allows for arbitrary code execution on the vLLM host during model load, prior to any request handling and without requiring API access. This is possible because vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without properly gating on `trust_remote_code`. An attacker who can influence the model repo/path can exploit this vulnerability. The issue was fixed in version 0.14.0.

Vendor
vllm-project
Product
vllm
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-21
Original CVE updated
2026-06-30
Advisory published
2026-01-21
Advisory updated
2026-06-30

Who should care

Organizations using vLLM for inference and serving of large language models should prioritize patching this vulnerability. Specifically, any entity relying on vLLM versions between 0.10.1 and 0.14.0 should take immediate action. This includes but is not limited to AI and ML service providers, research institutions, and enterprises deploying LLMs for various applications.

Technical summary

The vulnerability exists in vLLM's model resolution process. When loading models, vLLM uses Hugging Face's `auto_map` feature to dynamically import modules. However, it does not properly restrict this functionality based on the `trust_remote_code` setting. This allows an attacker to execute arbitrary Python code by influencing the model repo/path. The code execution occurs during server startup, before any request handling begins, and does not require API access. The CVSS score for this vulnerability is 8.8, indicating a high severity level.

Defensive priority

High priority should be given to patching this vulnerability. Organizations should update vLLM to version 0.14.0 or later as soon as possible. In the meantime, defenders should review their current model repositories and paths for any suspicious or untrusted models, and ensure that only trusted models are loaded.

Recommended defensive actions

  • Update vLLM to version 0.14.0 or later immediately.
  • Review and audit model repositories and paths for suspicious or untrusted models.
  • Implement strict controls on model loading and execution.
  • Monitor for any unusual activity or errors related to model loading.
  • Consider temporarily disabling `auto_map` functionality until all models can be reviewed and updated.

Evidence notes

The CVE record and NVD details were published on January 21, 2026, and last modified on June 30, 2026. The vulnerability was fixed in vLLM version 0.14.0. Multiple references, including GitHub commits, pull requests, and release notes, confirm the existence and resolution of this issue.

Official resources

This article was generated with AI assistance based on the supplied source corpus.