Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
Published: 2026-06-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vLLM is an inference and serving platform for large language models that relies on accurate revision pinning to ensure that only reviewed code and model artifacts are executed. The vulnerability causes a drift where pinned deployments that specify a revision or code revision can still load dynamic code, weight files, image processors, or sibling artifacts from the default or an unpinned revision. As a result, operators might believe they are serving a secure, reviewed model while the system unintentionally incorporates potentially compromised artifacts. This supply‑chain integrity issue aligns with CWE‑345 and CWE‑829 and could allow an adversary to insert malicious code or alter model behavior without detection.

Affected Systems

All installations of vllm-project vllm running a version earlier than 0.22.0 are subject to this flaw. The affected component is the artifact loading subsystem that resolves code, weight, and processor revisions.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of 0.00146 (<1%) suggests a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves compromising the deployment configuration or gaining control over the artifact repository from which the dynamic artifacts are loaded, allowing an attacker to inject or modify code outside the intended pinned revision. Operators should therefore treat this issue as significant due to its potential to undermine model integrity.

Generated by OpenCVE AI on June 29, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy vLLM version 0.22.0 or later to apply the fixed artifact pinning behavior.
  • Verify that deployment configurations enforce the --revision and --code-revision flags and do not enable loading of dynamic artifacts outside the specified revision.
  • Review and purge unpinned artifact versions, and follow vLLM release notes and community guidance for secure deployment practices.

Generated by OpenCVE AI on June 29, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3ww4-5jv9-j5gm vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-829
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.
Title vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T12:35:39.739Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47155

cve-icon Vulnrichment

Updated: 2026-06-23T12:35:33.893Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T22:20:10Z

Links: CVE-2026-47155 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere