CVE-2026-27893
Published: 27 March 2026
Summary
CVE-2026-27893 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Vllm Vllm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of vLLM to version 0.18.0, which fixes the hardcoded trust_remote_code=True bypass.
Establishes safeguards to restrict loading and execution of mobile code from untrusted model repositories, enforcing user-specified remote code distrust.
Verifies the integrity of software and code sub-components loaded by vLLM models to block unauthorized malicious code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary code execution by bypassing trust_remote_code=False during model loading from remote repositories, mapping to client-side exploitation (T1203) and Python interpreter execution (T1059.006) in the vLLM Python codebase.
NVD Description
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote…
more
code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
Deeper analysisAI
CVE-2026-27893 is a vulnerability in vLLM, an inference and serving engine for large language models (LLMs). It affects versions starting from 0.10.1 up to but not including 0.18.0. The issue stems from two model implementation files that hardcode `trust_remote_code=True` when loading sub-components, which bypasses the user's explicit `--trust-remote-code=False` security opt-out. This flaw enables remote code execution via malicious model repositories even when remote code trust is disabled, and it is classified under CWE-693 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by hosting a malicious model repository that users might load into vLLM. Although the user specifies `--trust-remote-code=False` to prevent code execution from untrusted sources, the hardcoded setting in the affected files overrides this protection, allowing arbitrary code execution on the victim's system. Exploitation requires user interaction, such as intentionally or inadvertently loading the malicious model, but needs no privileges and has low complexity over the network, potentially leading to high-impact compromise of confidentiality, integrity, and availability.
The vulnerability is addressed in vLLM version 0.18.0. Security advisories recommend upgrading to this patched version. Details on the fix are available in the vLLM GitHub security advisory at GHSA-7972-pg2x-xr59, pull request #36192, and the patching commit 00bd08edeee5dd4d4c13277c0114a464011acf72.
Details
- CWE(s)