CVE-2026-22807 in vLLM
Summary
by MITRE • 01/22/2026
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability CVE-2026-22807 affects vLLM, an inference and serving engine for large language models that operates under the CWE-494 category of Code Loading and Execution. This flaw exists in versions 0.10.1 through 0.13.0 where the system fails to properly validate remote code execution during model resolution processes. The vulnerability stems from the improper handling of Hugging Face auto_map dynamic modules that are loaded without requiring explicit trust_remote_code parameter validation.
The technical implementation of this vulnerability allows attackers to execute arbitrary code on the vLLM host during the model loading phase, which occurs before any API request processing begins. This means that simply by influencing the model repository or path - whether through local directory manipulation or remote Hugging Face repository compromise - an attacker can inject malicious Python code that executes automatically when the server starts up. The flaw operates at the core of the model loading mechanism where the system trusts and executes code from remote sources without proper security gating.
This vulnerability presents a critical operational impact as it enables attackers to gain complete control over the vLLM host environment without requiring any API access or authentication. The execution occurs at server startup, making it impossible for administrators to detect or prevent the malicious code execution through normal operational procedures. The attack surface extends to any system running vulnerable vLLM versions that load models from untrusted sources, creating potential for widespread compromise across deployments that utilize remote model repositories.
The fix implemented in version 0.14.0 addresses this by properly gating dynamic module loading through the trust_remote_code parameter, ensuring that remote code execution only occurs when explicitly permitted by system administrators. This mitigation aligns with security best practices outlined in the ATT&CK framework under the T1059.001 technique for command and scripting interpreter, specifically targeting the execution of malicious code through legitimate system processes. Organizations should immediately upgrade to version 0.14.0 or later to protect against this vulnerability, while also implementing proper model repository validation and access controls to minimize potential exposure.