Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
Published: 2026-06-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A dependency confusion flaw in vLLM’s Dockerfile allows an attacker to inject malicious code by uploading a package with the same name as a private dependency to PyPI. During the Docker build, the Dockerfile pulls the package from an untrusted index and installs it with a globally configured unsafe best‑match strategy. If the attacker succeeds, arbitrary code can run as root, and all resulting container images can be back‑doored, exposing prompts, credentials, and model data.

Affected Systems

All installations of vLLM before version 0.22.1 that use the default Dockerfile are susceptible. Users running Docker builds of the vLLM engine with the flashinfer‑jit‑cache package via the custom index are impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high risk. The EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation, and the vulnerability is not listed in the KEV catalog. Exploitation requires the attacker to upload a malicious flashinfer‑jit‑cache package to PyPI, a straightforward step for any PyPI‑registered user, making the attack path realistic. Once the malicious package is pulled during a Docker build, the attacker gains root access inside the image, enabling persistent compromise of all containers built from that image.

Generated by OpenCVE AI on June 26, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to release v0.22.1 or later, which removes the dependency confusion issue
  • If an upgrade is not immediately possible, modify the Dockerfile to eliminate the --extra-index-url for flashinfer.ai or remove the flashinfer‑jit‑cache requirement entirely
  • Restrict the use of the UV_INDEX_STRATEGY setting to a secure value or remove the global unsafe‑best‑match configuration, ensuring that only trusted package indexes are consulted during a build
  • Verify that the flashinfer‑jit‑cache package is downloaded from the intended registry only, creating a lock file or hash verification to mitigate the dependency confusion weakness (CWE-426)

Generated by OpenCVE AI on June 26, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-426
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 22 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
Title vLLM: Dependency Confusion Vulnerability in vLLM Dockerfile
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T14:30:04.849Z

Reserved: 2026-06-12T16:25:43.084Z

Link: CVE-2026-54232

cve-icon Vulnrichment

Updated: 2026-06-23T14:29:59.860Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T22:16:43Z

Links: CVE-2026-54232 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:30:02Z

Weaknesses
  • CWE-426

    Untrusted Search Path

  • CWE-427

    Uncontrolled Search Path Element