{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27893", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.717Z", "datePublished": "2026-03-26T23:56:53.579Z", "dateUpdated": "2026-03-26T23:56:53.579Z"}, "containers": {"cna": {"title": "vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"}, {"name": "https://github.com/vllm-project/vllm/pull/36192", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/36192"}, {"name": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": ">= 0.10.1, < 0.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:56:53.579Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue."}], "source": {"advisory": "GHSA-7972-pg2x-xr59", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue."}], "id": "CVE-2026-27893", "lastModified": "2026-03-27T00:16:22.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:22.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/pull/36192"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.1,0.18.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vllm", "source": "cna", "vendor": "vllm-project"}, "product": "vllm", "vendor": "vllm-project"}], "analysis": {"en": {"generated_at": "2026-03-27T06:26:22.755612+00:00", "value": {"mitigation_remediation": ["Upgrade vLLM to version 0.18.0 or later", "If an upgrade is not immediately possible, modify the code or configuration to force trust_remote_code=False when loading models, or remove the hardcoded setting from implementation files", "Verify that no untrusted model repositories are being used and audit execution logs for signs of malicious code", "Stay informed by monitoring the vLLM project\u2019s security advisories for additional patches or mitigations"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "vLLM (vllm\u2011project:vllm) versions between 0.10.1 (inclusive) and 0.18.0 (exclusive) are affected. Any deployment of these releases that loads models from remote repositories is vulnerable.", "description_and_impact": "vLLM, the inference engine for large language models, contains a flaw in its model implementation files that hardcode trust_remote_code=True. The setting is applied when loading sub\u2011components, regardless of the user\u2019s configured flag to disable remote code trust. This flaw allows a malicious model repository to execute arbitrary code on the host where vLLM runs. The vulnerability falls under configuration management weaknesses (CWE\u2011693) and can lead to complete compromise of the system running the engine.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. While the EPSS score is not available, the absence from the KEV catalog suggests no known public exploitation yet, yet the ability to execute remote code presents a serious threat. Based on the description, the most likely attack vector involves an attacker providing a malicious model repository and instructing vLLM to load it, thereby bypassing the explicit opt\u2011out. The impact can be system compromise, data exfiltration, or denial of service."}}}}, "created": "2026-03-27T08:31:19.408169+00:00", "updated": "2026-03-27T09:22:41.593113+00:00", "vendors": ["vllm-project", "vllm-project$PRODUCT$vllm"]}