PatchSiren cyber security CVE debrief
CVE-2026-22807 vllm-project CVE debrief
CVE-2026-22807 is a high-severity vulnerability in vLLM, an inference and serving engine for large language models. The vulnerability allows for arbitrary code execution on the vLLM host during model load, prior to any request handling and without requiring API access. This is possible because vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without properly gating on `trust_remote_code`. An attacker who can influence the model repo/path can exploit this vulnerability. The issue was fixed in version 0.14.0.
- Vendor
- vllm-project
- Product
- vllm
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-21
- Advisory updated
- 2026-06-30
Who should care
Organizations using vLLM for inference and serving of large language models should prioritize patching this vulnerability. Specifically, any entity relying on vLLM versions between 0.10.1 and 0.14.0 should take immediate action. This includes but is not limited to AI and ML service providers, research institutions, and enterprises deploying LLMs for various applications.
Technical summary
The vulnerability exists in vLLM's model resolution process. When loading models, vLLM uses Hugging Face's `auto_map` feature to dynamically import modules. However, it does not properly restrict this functionality based on the `trust_remote_code` setting. This allows an attacker to execute arbitrary Python code by influencing the model repo/path. The code execution occurs during server startup, before any request handling begins, and does not require API access. The CVSS score for this vulnerability is 8.8, indicating a high severity level.
Defensive priority
High priority should be given to patching this vulnerability. Organizations should update vLLM to version 0.14.0 or later as soon as possible. In the meantime, defenders should review their current model repositories and paths for any suspicious or untrusted models, and ensure that only trusted models are loaded.
Recommended defensive actions
- Update vLLM to version 0.14.0 or later immediately.
- Review and audit model repositories and paths for suspicious or untrusted models.
- Implement strict controls on model loading and execution.
- Monitor for any unusual activity or errors related to model loading.
- Consider temporarily disabling `auto_map` functionality until all models can be reviewed and updated.
Evidence notes
The CVE record and NVD details were published on January 21, 2026, and last modified on June 30, 2026. The vulnerability was fixed in vLLM version 0.14.0. Multiple references, including GitHub commits, pull requests, and release notes, confirm the existence and resolution of this issue.
Official resources
-
CVE-2026-22807 CVE record
CVE.org
-
CVE-2026-22807 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.