{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27893", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.717Z", "datePublished": "2026-03-26T23:56:53.579Z", "dateUpdated": "2026-03-27T13:52:33.526Z"}, "containers": {"cna": {"title": "vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"}, {"name": "https://github.com/vllm-project/vllm/pull/36192", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/36192"}, {"name": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": ">= 0.10.1, < 0.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:56:53.579Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue."}], "source": {"advisory": "GHSA-7972-pg2x-xr59", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:26:41.908182Z", "id": "CVE-2026-27893", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:52:33.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out", "source": {"advisory": "GHSA-7972-pg2x-xr59", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"status": "affected", "version": ">= 0.10.1, < 0.18.0"}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vllm-project/vllm/pull/36192", "name": "https://github.com/vllm-project/vllm/pull/36192", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72", "name": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:56:53.579Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:26:41.908182Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:26:45.730Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27893", "state": "PUBLISHED", "dateUpdated": "2026-03-26T23:56:53.579Z", "dateReserved": "2026-02-24T15:19:29.717Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T23:56:53.579Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue."}], "id": "CVE-2026-27893", "lastModified": "2026-03-27T00:16:22.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:22.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/pull/36192"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting", "id": "2452055", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452055"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-501", "details": ["A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). Two model implementation files hardcode `trust_remote_code=True` when loading sub-components. This bypasses the user's explicit `--trust-remote-code=False` security opt-out, allowing a remote attacker to achieve remote code execution through malicious model repositories."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-27893", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-cpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-neuron-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cpu-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-26T23:56:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27893\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27893\nhttps://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72\nhttps://github.com/vllm-project/vllm/pull/36192\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"], "statement": "This is an Important vulnerability in vLLM, as shipped in Red Hat AI Inference Server and Red Hat OpenShift AI. The flaw allows remote code execution due to vLLM hardcoding `trust_remote_code=True` when loading sub-components, which bypasses the user's explicit `--trust-remote-code=False` security opt-out. This can lead to exploitation through malicious model repositories.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.1,0.18.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vllm", "source": "cna", "vendor": "vllm-project"}, "product": "vllm", "vendor": "vllm-project"}], "analysis": {"en": {"generated_at": "2026-03-27T13:23:22.188827+00:00", "value": {"mitigation_remediation": ["Update vLLM to version 0.18.0 or later to remove the hardcoded trust_remote_code flag.", "Verify that the deployment pipeline only loads models from trusted sources or repositories.", "If an immediate upgrade is not possible, temporarily remove or disable any custom code that sets trust_remote_code=True and ensure the flag remains set to False.", "Monitor vLLM release notes and security advisories for future patches or additional guidance."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected product: vLLM inference and serving engine from vllm\u2011project. Vulnerable releases are vLLM versions 0.10.1 through any release before 0.18.0. The issue does not affect other vendors or product lines.", "description_and_impact": "The vulnerability stems from hardcoded trust_remote_code=True in model implementation files of vLLM between versions 0.10.1 and before 0.18.0. This bypasses any user\u2011specified --trust-remote-code=False setting, allowing code from remote model repositories to execute on the host. The consequence is remote code execution, providing attackers with full control over the deployment environment and compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw by hosting or pointing to a malicious model repository; the hardcoded trust flag removes the safety net intended by the user, enabling straightforward remote code execution when the offending model is loaded. Given the lack of an available exploit probability metric, administrators should treat this as a high\u2011risk issue that could be leveraged in the wild."}}}}, "created": "2026-03-27T08:31:19.408169+00:00", "updated": "2026-03-27T15:47:18.826076+00:00", "vendors": ["vllm-project", "vllm-project$PRODUCT$vllm"]}