Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.
Published: 2026-06-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An assert statement used for a security check in vLLM’s activation function loading was bypassed, enabling an attacker to inject and execute arbitrary code. The flaw is classified as a code injection weakness (CWE-94) and an input validation issue (CWE-617). When executed in Python optimized mode, the assert is removed, and the vulnerable path is fully exposed, allowing a potential attacker to craft a malicious HuggingFace model that triggers the vulnerable code path.

Affected Systems

vLLM version 0.21.x and earlier from the vllm-project vllm product are affected. The vulnerability was fixed in version 0.22.0. Any deployment that imports models from public HuggingFace repositories while running with Python optimise flags (python -O or PYTHONOPTIMIZE=1) is at risk. No other products or vendors are reported as affected.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high severity. Because it is solely exploitable in optimized mode, the direct path to exploitation is limited to deployments that enable that mode and load external models, but such a configuration is commonly used in production. The EPSS score is not available, so the historical exploitation probability is unknown; however, the fact that the vulnerability was published and tracked via a public advisory suggests confidence that it could be exploited if not patched. The vulnerability is not listed in the CISA KEV catalogue, but the potential for uncontrolled code execution warrants immediate attention.

Generated by OpenCVE AI on June 22, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to version 0.22.0 or later
  • Run vLLM with Python optimization disabled (remove the -O flag or set PYTHONOPTIMIZE=0) until the patch is applied
  • Restrict model loading to trusted or vetted HuggingFace repositories and validate model integrity before loading

Generated by OpenCVE AI on June 22, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q8gq-377p-jq3r vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
History

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.
Title vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
Weaknesses CWE-617
CWE-94
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T22:18:14.494Z

Reserved: 2026-04-20T18:18:50.682Z

Link: CVE-2026-41523

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:00:16Z

Weaknesses
  • CWE-617

    Reachable Assertion

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')