CVE-2026-4944 - Vulnerability Details

- Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control

Description

vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

vllm-project/vllm version 0.14.1 contains a flaw where the trust_remote_code=True setting is hardcoded in two model implementation files. This bypasses the user’s explicit --trust-remote-code=False flag, allowing an attacker to trigger remote code execution through malicious HuggingFace model repositories. The vulnerability is a classic example of a trust escalation flaw that can lead to full system compromise if an attacker supplies a crafted model.

Affected Systems

The affected product is vllm-project/vllm, specifically releases 0.14.1 and any builds that include the unchanged nemotron_vl.py and kimi_k25.py files. Deployments that load NemotronVL or KimiK25 models are at higher risk. No other vendor or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk. The EPSS score is not available, so the current public exploitation probability is unclear, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the model loading process; if an attacker controls the model repository or the model loading request, they can force execution of arbitrary code due to the hardcoded trust flag. Without mitigation, any system that loads these models from potentially untrusted sources is vulnerable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vllm-project

vllm-project/vllm

affected

Version	Status	Constraints
`unspecified`	affected	≤ latest

No data.

Vendor Product Confidence Versions

Vllm-project

Vllm

100%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade vllm to a version that removes the hardcoded trust_remote_code=True setting (e.g., vllm 0.15.0 or later).
Ensure that any custom or third‑party model loading scripts explicitly set trust_remote_code to False, overriding any defaults in the package.
Restrict model repositories to vetted or trusted sources and perform code review of model files before deployment.

Generated by OpenCVE AI on May 28, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00747.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://huntr.com/bounties/97f706f7-a852-49b2-a4eb-76811e611daf

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vllm-project Vllm-project vllm
Vendors & Products		Vllm-project Vllm-project vllm

Thu, 28 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.
Title		Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control
Weaknesses		CWE-22
References		https://huntr.com/bounties/97f706f7-a852-49b2-a4eb-76811e611daf
Metrics		cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Vllm-project Vllm

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-05-28T18:04:05.371Z

Updated: 2026-05-28T19:47:23.664Z

Reserved: 2026-03-26T23:52:08.858Z

Link: CVE-2026-4944

Vulnrichment

Updated: 2026-05-28T19:47:16.494Z

NVD

Status : Deferred

Published: 2026-05-28T19:16:42.677

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-4944

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:48:04Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object