{ "threat_severity" : "Important", "public_date" : "2026-03-26T23:56:53Z", "bugzilla" : { "description" : "vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting", "id" : "2452055", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452055" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-501", "details" : [ "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.", "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). Two model implementation files hardcode `trust_remote_code=True` when loading sub-components. This bypasses the user's explicit `--trust-remote-code=False` security opt-out, allowing a remote attacker to achieve remote code execution through malicious model repositories." ], "statement" : "This is an Important vulnerability in vLLM, as shipped in Red Hat AI Inference Server and Red Hat OpenShift AI. The flaw allows remote code execution due to vLLM hardcoding `trust_remote_code=True` when loading sub-components, which bypasses the user's explicit `--trust-remote-code=False` security opt-out. This can lead to exploitation through malicious model repositories.", "affected_release" : [ { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19724", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-cuda-rhel9:1779223654" }, { "product_name" : "Red Hat AI Inference Server 3.2", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19725", "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9", "package" : "rhaiis/vllm-rocm-rhel9:1779223651" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8746", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-cuda-rhel9:1775680192" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8747", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-rocm-rhel9:1775680262" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8748", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/model-opt-cuda-rhel9:1775749857" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-aws-cuda-rhel9:1776871984" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-cuda-rhel9:1776871985" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-rocm-rhel9:1776872005" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-cuda-rhel9:1776773390" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-gcp-cuda-rhel9:1776871987" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-rocm-rhel9:1776773505" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10141", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/disk-image-cuda-rhel9:1776938871" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19712", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-vllm-gaudi-rhel9:1778600187" } ], "package_state" : [ { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Will not fix", "package_name" : "rhaiis/vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Will not fix", "package_name" : "rhaiis/vllm-neuron-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Will not fix", "package_name" : "rhaiis/vllm-spyre-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Will not fix", "package_name" : "rhaiis/vllm-tpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-agent-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-router-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-storage-initializer-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-vllm-cuda-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-vllm-rocm-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27893\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27893\nhttps://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72\nhttps://github.com/vllm-project/vllm/pull/36192\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59" ], "name" : "CVE-2026-27893", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }