CVE-2026-22807
Published: 21 January 2026
Summary
CVE-2026-22807 is a high-severity Code Injection (CWE-94) vulnerability in Vllm Vllm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by patching vLLM to version 0.14.0 or later directly enforces the trust_remote_code gate, preventing ungated execution of attacker-controlled dynamic modules during model loading.
Prohibits user or administrator installation of unapproved models from untrusted repositories without prior scanning or verification, blocking the loading of malicious model paths.
Malicious code protection scans and blocks execution of attacker-embedded Python code in Hugging Face model repositories or local paths prior to server startup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct arbitrary Python code execution via bypassed trust_remote_code during model loading enables T1059.006.
NVD Description
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in…
more
a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue.
Deeper analysisAI
CVE-2026-22807 is a code injection vulnerability (CWE-94) affecting vLLM, an open-source inference and serving engine for large language models (LLMs). The issue impacts versions starting from 0.10.1 up to but not including 0.14.0. During model resolution, vLLM loads Hugging Face `auto_map` dynamic modules without enforcing the `trust_remote_code` gate, enabling the execution of attacker-supplied Python code embedded in a model repository or path at server startup.
An attacker who can influence the target model's repository path—either a local directory or a remote Hugging Face repository—can exploit this to achieve arbitrary code execution on the vLLM host. Exploitation occurs during the model loading phase, prior to any request handling or API access, requiring user interaction such as an administrator loading a malicious model. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts over the network with low complexity and no privileges required.
The vLLM project addresses the issue in version 0.14.0, as detailed in the security advisory (GHSA-2pc9-4j83-qjmr), the fixing pull request (#32194), and the associated commit (78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5). Security practitioners should upgrade to v0.14.0 or later and verify `trust_remote_code` handling when loading models from untrusted sources.
This vulnerability is particularly relevant to AI/ML deployments relying on vLLM for LLM serving, highlighting risks in automated model loading from public repositories like Hugging Face. No public evidence of real-world exploitation is available as of the CVE publication on 2026-01-21.
Details
- CWE(s)