CVE-2026-54232 - Vulnerability Details

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.

Published: 2026-06-22

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A dependency confusion flaw in vLLM’s Dockerfile allows an attacker to inject malicious code by uploading a package with the same name as a private dependency to PyPI. During the Docker build, the Dockerfile pulls the package from an untrusted index and installs it with a globally configured unsafe best‑match strategy. If the attacker succeeds, arbitrary code can run as root, and all resulting container images can be back‑doored, exposing prompts, credentials, and model data.

Affected Systems

All installations of vLLM before version 0.22.1 that use the default Dockerfile are susceptible. Users running Docker builds of the vLLM engine with the flashinfer‑jit‑cache package via the custom index are impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high risk. EPSS data is not available, and the issue is not in CISA’s KEV catalog. Exploitation requires the attacker to upload a malicious flashinfer‑jit‑cache package to PyPI, a straightforward step for any PyPI‑registered user, making the attack path realistic. Once the malicious package is pulled during a Docker build, the attacker gains root access inside the image, enabling persistent compromise of all containers built from that image.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vllm-project

vllm

affected

Version	Status	Constraints
`< 0.22.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade vLLM to release v0.22.1 or later, which removes the dependency confusion issue
If an upgrade is not immediately possible, modify the Dockerfile to eliminate the --extra-index-url for flashinfer.ai or remove the flashinfer‑jit‑cache requirement entirely
Restrict the use of the UV_INDEX_STRATEGY setting to a secure value or remove the global unsafe‑best‑match configuration, ensuring that only trusted package indexes are consulted during a build

Generated by OpenCVE AI on June 22, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2

History

Mon, 22 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
Title		vLLM: Dependency Confusion Vulnerability in vLLM Dockerfile
Weaknesses		CWE-427
References		https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T22:16:43.101Z

Updated: 2026-06-22T22:16:43.101Z

Reserved: 2026-06-12T16:25:43.084Z

Link: CVE-2026-54232

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses

CWE-427
Uncontrolled Search Path Element

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object