Description
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

vLLM, the inference engine for large language models, contains a flaw in its model implementation files that hardcode trust_remote_code=True. The setting is applied when loading sub‑components, regardless of the user’s configured flag to disable remote code trust. This flaw allows a malicious model repository to execute arbitrary code on the host where vLLM runs. The vulnerability falls under configuration management weaknesses (CWE‑693) and can lead to complete compromise of the system running the engine.

Affected Systems

vLLM (vllm‑project:vllm) versions between 0.10.1 (inclusive) and 0.18.0 (exclusive) are affected. Any deployment of these releases that loads models from remote repositories is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. While the EPSS score is not available, the absence from the KEV catalog suggests no known public exploitation yet, yet the ability to execute remote code presents a serious threat. Based on the description, the most likely attack vector involves an attacker providing a malicious model repository and instructing vLLM to load it, thereby bypassing the explicit opt‑out. The impact can be system compromise, data exfiltration, or denial of service.

Generated by OpenCVE AI on March 27, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.18.0 or later
  • If an upgrade is not immediately possible, modify the code or configuration to force trust_remote_code=False when loading models, or remove the hardcoded setting from implementation files
  • Verify that no untrusted model repositories are being used and audit execution logs for signs of malicious code
  • Stay informed by monitoring the vLLM project’s security advisories for additional patches or mitigations

Generated by OpenCVE AI on March 27, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7972-pg2x-xr59 vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
Title vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:52:33.526Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27893

cve-icon Vulnrichment

Updated: 2026-03-27T13:26:45.730Z

cve-icon NVD

Status : Received

Published: 2026-03-27T00:16:22.333

Modified: 2026-03-27T00:16:22.333

Link: CVE-2026-27893

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T23:56:53Z

Links: CVE-2026-27893 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:41Z

Weaknesses