CVE-2026-22807

HIGH

vllm 0.10.1-0.13.0 - Remote Code Execution via Hugging Face auto_map Dynamic Module Loading

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-22807. PoCs published by XiaomingX, otakuliu.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-22807, demonstrating a supply chain attack via AI model loading. The exploit leverages a TOCTOU (Time-of-Check Time-of-Use) vulnerability in AI inference frameworks, where malicious code is executed before security checks are performed.

Description

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-22807

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-22807, demonstrating a supply chain attack via AI model loading. The exploit leverages a TOCTOU (Time-of-Check Time-of-Use) vulnerability in AI inference frameworks, where malicious code is executed before security checks are performed.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AI model loading frameworks (e.g., vLLM, Transformers)

No auth needed

Prerequisites: Python 3.x · ability to place malicious model files in a directory accessible to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by otakuliu · poc

https://github.com/otakuliu/CVE-2026-22807_Range

View Code ZIP pw:eip

This PoC demonstrates a supply chain attack (CVE-2026-22807) exploiting a TOCTOU vulnerability in AI model loaders, where remote code execution occurs before trust checks are enforced.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AI model loaders (simulated as MiniLLM)

No auth needed

Prerequisites: Python 3.x · Write access to generate malicious model files

MITRE ATT&CK

T1195.002 - Compromise Software Supply Chain T1059.006 - Python

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr

Issue Tracking, Patch x_refsource_misc

https://github.com/vllm-project/vllm/pull/32194

Patch x_refsource_misc

https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5

View Patch ZIP pw:eip

Product, Release Notes x_refsource_misc

https://github.com/vllm-project/vllm/releases/tag/v0.14.0

Scores

CVSS v3 8.8

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

pypi/vllm 0.10.1 - 0.14.0PyPI

vllm/vllm 0.10.1 - 0.14.0

Published Jan 21, 2026

Tracked Since Feb 18, 2026