CVE-2026-22807

Name of the Vulnerable Software and Affected Versions vLLM versions 0.10.1 through 0.13.x

Description vLLM is an inference and serving engine for large language models (LLMs). The software loads Hugging Face auto map dynamic modules during model resolution without verifying trust remote code. This allows attacker-controlled Python code within a model repository or path to execute when the server starts. An attacker who can control the model repository or path can achieve arbitrary code execution on the vLLM host during model loading. This occurs before any request handling and does not require API access. The auto map resolution in vllm/model executor/models/registry.py and the execution of code through get class from dynamic module in vllm/transformers utils/dynamic module.py are relevant to this issue.

Recommendations Upgrade to vLLM version 0.14.0 or later. Audit any custom Hugging Face models loaded in your ML pipeline.