{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-27893", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.717Z", "datePublished": "2026-03-26T23:56:53.579Z", "dateUpdated": "2026-07-10T12:05:27.223Z" }, "containers": { "cna": { "title": "vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "references": [ { "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59" }, { "name": "https://github.com/vllm-project/vllm/pull/36192", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/vllm-project/vllm/pull/36192" }, { "name": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72" } ], "affected": [ { "vendor": "vllm-project", "product": "vllm", "versions": [ { "version": ">= 0.10.1, < 0.18.0", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:56:53.579Z" }, "descriptions": [ { "lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue." } ], "source": { "advisory": "GHSA-7972-pg2x-xr59", "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-27T13:26:41.908182Z", "id": "CVE-2026-27893", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:52:33.526Z" } }, { "affected": [ { "cpes": [ "cpe:/a:redhat:ai_inference_server:3.2::el9" ], "defaultStatus": "affected", "product": "Red Hat AI Inference Server 3.2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ai_inference_server:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat AI Inference Server 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AI 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:2.25::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 2.25", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "affected", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "unaffected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" } ], "datePublic": "2026-03-26T23:56:53.579Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). Two model implementation files hardcode `trust_remote_code=True` when loading sub-components. This bypasses the user's explicit `--trust-remote-code=False` security opt-out, allowing a remote attacker to achieve remote code execution through malicious model repositories." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-501", "description": "Trust Boundary Violation", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-27893" }, { "name": "RHBZ#2452055", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452055" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27893.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:19724" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:19725" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:8748" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:8746" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:8747" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:10140" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:10141" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:24977" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:37275" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:19712" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:19724: Red Hat AI Inference Server 3.2" }, { "lang": "en", "value": "RHSA-2026:19725: Red Hat AI Inference Server 3.2" }, { "lang": "en", "value": "RHSA-2026:8748: Red Hat AI Inference Server 3.3" }, { "lang": "en", "value": "RHSA-2026:8746: Red Hat AI Inference Server 3.3" }, { "lang": "en", "value": "RHSA-2026:8747: Red Hat AI Inference Server 3.3" }, { "lang": "en", "value": "RHSA-2026:10140: Red Hat Enterprise Linux AI 3.3" }, { "lang": "en", "value": "RHSA-2026:10141: Red Hat Enterprise Linux AI 3.3" }, { "lang": "en", "value": "RHSA-2026:24977: Red Hat OpenShift AI 2.25" }, { "lang": "en", "value": "RHSA-2026:37275: Red Hat OpenShift AI 3.3" }, { "lang": "en", "value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3" } ], "timeline": [ { "lang": "en", "time": "2026-03-27T00:01:43.935Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-03-26T23:56:53.579Z", "value": "Made public." } ], "title": "vllm: vLLM: Remote code execution due to hardcoded trust_remote_code setting", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-10T12:05:27.223Z" } } ] } }