Description
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
Published: 2026-01-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

vLLM is an inference engine for large language models that, in versions 0.10.1 through 0.13.x, automatically loads Hugging Face’s auto_map modules when resolving a model. If the model repository or local directory is under attacker control, the dynamic module import allows arbitrary Python code to run at server startup, before any request handling or authentication. This code injection capability is identified as CWE-94 and grants the attacker full control over the host running vLLM, potentially compromising confidentiality, integrity, and availability of the underlying system.

Affected Systems

The vulnerability affects the vLLM project’s vLLM engine, specifically any deployment using a version between 0.10.1 and 0.13.x inclusive. All releases of vLLM in that range are susceptible; version 0.14.0 and later contain the fix that gates dynamic module loading with the trust_remote_code flag. Systems running prior to v0.14.0 should be considered exposed.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is below 1 %, suggesting the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector requires an adversary to influence the model path during initialisation—either by placing a malicious local repository or by selecting a target Hugging Face repo—without the need for network authentication or API access. Once the payload executes, the attacker achieves arbitrary code execution on the host, with no barrier to entry beyond control of the model path.

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.14.0 or later to enable trust_remote_code guarding against dynamic module execution.
  • If an upgrade cannot be performed immediately, limit model resolution to directories or repositories that are verified as trusted and enforce the trust_remote_code flag during initialisation.
  • Disable or remove automatic loading of auto_map dynamic modules by modifying the deployment configuration or source code to use only static model loading.
  • Implement runtime logging for model initialisation steps to detect unexpected imports or code execution, and restrict Python path or execution environment if necessary.

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pc9-4j83-qjmr vLLM affected by RCE via auto_map dynamic module loading during model initialization
History

Fri, 30 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 21 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
Title vLLM affected by RCE via auto_map dynamic module loading during model initialization
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:50:33.696Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22807

cve-icon Vulnrichment

Updated: 2026-01-22T15:11:02.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:49.077

Modified: 2026-01-30T14:43:22.290

Link: CVE-2026-22807

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-21T21:13:11Z

Links: CVE-2026-22807 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses