CVE-2026-54232
HIGHvLLM < 0.22.1 Dockerfile - Dependency Confusion Code Execution
Title source: manualDescription
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-427
Status
published
Products (2)
vllm/vllm
< 0.22.1
vllm-project/vllm
< 0.22.1
Published
Jun 22, 2026
Tracked Since
Jun 23, 2026