CVE-2026-22807

HIGH 8.8

vLLM affected by RCE via auto_map dynamic module loading during model initialization

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.

CWE	CWE-94
Vendor	vllm-project
Product	vllm
Published	Jan 21, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for vllm-project vllm

Be the first to know when new high vulnerabilities affecting vllm-project vllm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

vllm-project / vllm

>= 0.10.1, < 0.14.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗