PatchSiren cyber security CVE debrief
CVE-2026-4944 vllm-project CVE debrief
CVE-2026-4944 is a HIGH severity vulnerability (CVSS 8.8) in vllm-project/vllm version 0.14.1, published 2026-05-28. The issue involves hardcoded `trust_remote_code=True` parameters in two specific model implementation files: `vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`. This hardcoding bypasses the user's explicit `--trust-remote-code=False` command-line setting, enabling remote code execution when loading malicious HuggingFace model repositories. The vulnerability represents an incomplete fix for two prior CVEs (CVE-2025-66448 and CVE-2026-22807), affecting separate code paths in model implementation files. Deployments specifically loading NemotronVL or KimiK25 models are particularly at risk. The vulnerability is classified under CWE-22 (Path Traversal) according to the secondary source.
- Vendor
- vllm-project
- Product
- vllm-project/vllm
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running vllm inference services, particularly those deploying NemotronVL or KimiK25 models; ML platform operators using vllm for production inference; security teams monitoring ML supply chain risks
Technical summary
The vllm inference engine version 0.14.1 contains hardcoded `trust_remote_code=True` assignments in model-specific implementation files for NemotronVL and KimiK25 architectures. When users explicitly disable remote code trust via `--trust-remote-code=False`, this user preference is overridden by the hardcoded values in these specific model loaders. This allows malicious HuggingFace repositories to execute arbitrary code during model loading. The vulnerability persists despite prior fixes for related CVEs, indicating incomplete remediation across all model implementation code paths.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade vllm to a version containing the complete fix for this vulnerability
- Audit deployments for use of NemotronVL or KimiK25 models and assess exposure
- Review and restrict HuggingFace model repository sources to trusted origins
- Implement network egress controls to prevent unauthorized outbound connections from vllm inference workloads
- Monitor for anomalous code execution or model loading behavior in vllm deployments
- Verify that `--trust-remote-code=False` is explicitly set and effective in all vllm deployments
Evidence notes
Vulnerability confirmed through official CVE record and NVD entry. Source references include Huntr bounty platform. CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected version specifically identified as 0.14.1.
Official resources
-
CVE-2026-4944 CVE record
CVE.org
-
CVE-2026-4944 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28