If your team runs vLLM 0.10.1–0.17.x with --trust-remote-code=False, that control is silently ignored for certain model sub-components — you have a false sense of security. Any malicious model loaded from an external repository (HuggingFace, S3, etc.) can execute arbitrary code on your inference server. Upgrade to vLLM 0.18.0 immediately; until patched, restrict model loading strictly to internally-hosted, verified artifacts.
What is the risk?
High operational risk for AI/ML teams running vLLM in production or staging environments. The core danger is the security theater: operators who explicitly set --trust-remote-code=False believe they are protected — they are not. EPSS (0.00032) suggests no active exploitation yet, but the attack requires only a convincing malicious model repository and a standard model-loading workflow. Organizations loading third-party or community models are directly in the blast radius. CVSS 8.8 reflects accurate severity: network-reachable, low complexity, full C/I/A impact once triggered.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| vLLM | pip | >= 0.10.1, < 0.18.0 | 0.18.0 |
Do you use vLLM? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade to vLLM 0.18.0 — this is the only complete fix.
-
IMMEDIATE WORKAROUND
Restrict model sources to internally-mirrored, verified repositories only. Block direct HuggingFace or external S3 model loading until patched.
-
AUDIT
Inventory all vLLM instances across environments (dev, staging, prod); check version with
pip show vllm. -
DETECT
Review recent model load events in vLLM logs for external model sources; flag any models loaded from outside your approved registry.
-
HARDEN
Implement model signing and hash verification before loading any model artifact, regardless of vLLM version.
-
ISOLATE
Run vLLM inference processes with minimum necessary permissions and network segmentation to limit blast radius if exploited.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-27893?
If your team runs vLLM 0.10.1–0.17.x with --trust-remote-code=False, that control is silently ignored for certain model sub-components — you have a false sense of security. Any malicious model loaded from an external repository (HuggingFace, S3, etc.) can execute arbitrary code on your inference server. Upgrade to vLLM 0.18.0 immediately; until patched, restrict model loading strictly to internally-hosted, verified artifacts.
Is CVE-2026-27893 actively exploited?
No confirmed active exploitation of CVE-2026-27893 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-27893?
1. PATCH: Upgrade to vLLM 0.18.0 — this is the only complete fix. 2. IMMEDIATE WORKAROUND: Restrict model sources to internally-mirrored, verified repositories only. Block direct HuggingFace or external S3 model loading until patched. 3. AUDIT: Inventory all vLLM instances across environments (dev, staging, prod); check version with `pip show vllm`. 4. DETECT: Review recent model load events in vLLM logs for external model sources; flag any models loaded from outside your approved registry. 5. HARDEN: Implement model signing and hash verification before loading any model artifact, regardless of vLLM version. 6. ISOLATE: Run vLLM inference processes with minimum necessary permissions and network segmentation to limit blast radius if exploited.
What systems are affected by CVE-2026-27893?
This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model evaluation pipelines, multi-model serving platforms, fine-tuning pipelines, model-as-a-service APIs.
What is the CVSS score for CVE-2026-27893?
CVE-2026-27893 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.36%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0058 Publish Poisoned Models AML.T0072 Reverse Shell Compliance Controls Affected
What are the technical details?
Original Advisory
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
Exploitation Scenario
An adversary publishes a seemingly legitimate LLM variant on HuggingFace — a fine-tuned model with a slightly modified architecture requiring custom code. The model's custom Python files contain a reverse shell or credential harvester. A data science team evaluating the model runs vLLM with --trust-remote-code=False, confident the security control protects them. During model loading, vLLM internally calls load_pretrained on sub-components using hardcoded trust_remote_code=True, bypassing the user flag. The malicious Python code executes in the context of the inference server process, giving the adversary RCE with access to model weights, inference traffic, internal APIs, and potentially cloud credentials mounted in the environment.
Weaknesses (CWE)
CWE-693 Protection Mechanism Failure
Primary
CWE-693 Protection Mechanism Failure
Primary
CWE-693 Protection Mechanism Failure CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2024-9053 9.8 vllm: RCE via unsafe pickle deserialization in RPC server
Same package: vllm CVE-2024-11041 9.8 vllm: RCE via unsafe pickle deserialization in MessageQueue
Same package: vllm CVE-2026-25960 9.8 vllm: SSRF allows internal network access
Same package: vllm CVE-2025-47277 9.8 vLLM: RCE via exposed TCPStore in distributed inference
Same package: vllm CVE-2025-32444 9.8 vLLM: RCE via pickle deserialization on ZeroMQ
Same package: vllm