Cyber Resilience

CVE-2026-27893

HighUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0075 50.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27893 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Vllm Vllm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27893 is a vulnerability in vLLM, an inference and serving engine for large language models (LLMs). It affects versions starting from 0.10.1 up to but not including 0.18.0. The issue stems from two model implementation files that hardcode `trust_remote_code=True` when loading sub-components, which bypasses the user's explicit `--trust-remote-code=False` security opt-out. This flaw enables remote code execution via malicious model repositories even when remote code trust is disabled, and it is classified under CWE-693 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by hosting a malicious model repository that users might load into vLLM. Although the user specifies `--trust-remote-code=False` to prevent code execution from untrusted sources, the hardcoded setting in the affected files overrides this protection, allowing arbitrary code execution on the victim's system. Exploitation requires user interaction, such as intentionally or inadvertently loading the malicious model, but needs no privileges and has low complexity over the network, potentially leading to high-impact compromise of confidentiality, integrity, and availability.

The vulnerability is addressed in vLLM version 0.18.0. Security advisories recommend upgrading to this patched version. Details on the fix are available in the vLLM GitHub security advisory at GHSA-7972-pg2x-xr59, pull request #36192, and the patching commit 00bd08edeee5dd4d4c13277c0114a464011acf72.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote…

more

code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Vulnerability directly enables arbitrary code execution by bypassing trust_remote_code=False during model loading from remote repositories, mapping to client-side exploitation (T1203) and Python interpreter execution (T1059.006) in the vLLM Python codebase.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66448Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2024-11041Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.10.1 — 0.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of vLLM to version 0.18.0, which fixes the hardcoded trust_remote_code=True bypass.

prevent

Establishes safeguards to restrict loading and execution of mobile code from untrusted model repositories, enforcing user-specified remote code distrust.

prevent

Verifies the integrity of software and code sub-components loaded by vLLM models to block unauthorized malicious code execution.

References