CVE-2026-22807

HIGH

Vllm < 0.14.0 - Code Injection

Title source: rule

Description

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-22807

View Code ZIP pw:eip

nomisec WORKING POC

by otakuliu · poc

https://github.com/otakuliu/CVE-2026-22807_Range

View Code ZIP pw:eip

References (4)

[Patch] https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5

[Issue Tracking, Patch] https://github.com/vllm-project/vllm/pull/32194

[Product, Release Notes] https://github.com/vllm-project/vllm/releases/tag/v0.14.0

[Patch, Vendor Advisory] https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

pypi/vllm 0.10.1 - 0.14.0PyPI

vllm/vllm 0.10.1 - 0.14.0

Published Jan 21, 2026

Tracked Since Feb 18, 2026