CVE-2026-22807

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions vLLM versions 0.10.1 through 0.13.x

Description vLLM is an inference and serving engine for large language models (LLMs). The software loads Hugging Face

auto map

dynamic modules during model resolution without verifying

trust remote code

. This allows attacker-controlled Python code within a model repository or path to execute when the server starts. An attacker who can control the model repository or path can achieve arbitrary code execution on the vLLM host during model loading. This occurs before any request handling and does not require API access. The

auto map

resolution in

vllm/model executor/models/registry.py

and the execution of code through

get class from dynamic module

vllm/transformers utils/dynamic module.py

are relevant to this issue.

Recommendations Upgrade to vLLM version 0.14.0 or later. Audit any custom Hugging Face models loaded in your ML pipeline.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2026-22807

GHSA-2PC9-4J83-QJMR

Affected Products

Hugging Face Auto Map

Vllm

CVE-2026-22807

Weakness Enumeration

Related Identifiers

Affected Products

References · 20