CVE-2026-47155 - Vulnerability Details

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.

Published: 2026-06-22

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

vLLM is an inference and serving platform for large language models that relies on accurate revision pinning to ensure that only reviewed code and model artifacts are executed. The vulnerability causes a drift where pinned deployments that specify a revision or code revision can still load dynamic code, weight files, image processors, or sibling artifacts from the default or an unpinned revision. As a result, operators might believe they are serving a secure, reviewed model while the system unintentionally incorporates potentially compromised artifacts. This supply‑chain integrity issue aligns with CWE‑345 and could allow an adversary to insert malicious code or alter model behavior without detection.

Affected Systems

All installations of vllm-project vllm running a version earlier than 0.22.0 are subject to this flaw. The affected component is the artifact loading subsystem that resolves code, weight, and processor revisions.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. Because the EPSS value is not available and the vulnerability is not listed in the CISA KEV catalog, the current public exploitation probability is unclear. The likely attack vector involves compromising the deployment configuration or gaining control over the artifact repository from which the dynamic artifacts are loaded, allowing an attacker to inject or modify code outside the intended pinned revision. Operators should therefore treat this issue as significant due to its potential to undermine model integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vllm-project

vllm

affected

Version	Status	Constraints
`< 0.22.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy vLLM version 0.22.0 or later to apply the fixed artifact pinning behavior.
Verify that deployment configurations enforce the --revision and --code-revision flags and do not enable loading of dynamic artifacts outside the specified revision.
Review and purge unpinned artifact versions, and follow vLLM release notes and community guidance for secure deployment practices.

Generated by OpenCVE AI on June 22, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3ww4-5jv9-j5gm	vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6
https://github.com/vllm-project/vllm/pull/42616
https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm
https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac

History

Mon, 22 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
Title		vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
Weaknesses		CWE-345
References		https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6 https://github.com/vllm-project/vllm/pull/42616 https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T22:20:10.793Z

Updated: 2026-06-22T22:20:10.793Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47155

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses

CWE-345
Insufficient Verification of Data Authenticity

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object