Platform
python
Component
vllm
Fixed in
0.10.2
0.14.0
CVE-2026-22807 is a Remote Code Execution (RCE) vulnerability affecting vLLM, a fast LLM inference and serving engine, versions up to 0.13.0. This vulnerability allows an attacker to execute arbitrary code on the vLLM host during model loading, potentially leading to complete system compromise. The vulnerability stems from vLLM's handling of Hugging Face auto_map dynamic modules without proper security gating. A fix is available in version 0.14.0.
The impact of CVE-2026-22807 is severe. An attacker who can control the model repository or local path used by vLLM can inject malicious Python code. This code will execute during the model loading process, before any API requests are handled. Critically, this means the attacker does not need API access to exploit the vulnerability. The attacker could install malware, steal sensitive data, or establish a persistent backdoor on the vLLM server. This vulnerability shares similarities with other remote code execution flaws where untrusted code is loaded and executed without proper validation, potentially allowing for complete system takeover.
CVE-2026-22807 was publicly disclosed on January 21, 2026. The vulnerability is present in the vllm/modelexecutor/models/registry.py file, which resolves automap. There is currently no indication of this vulnerability being actively exploited in the wild, but the ease of exploitation and the potential impact warrant immediate attention. The EPSS score is likely to be medium, given the public disclosure and the relatively straightforward exploitation path. No KEV listing is currently available.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22807 is to upgrade vLLM to version 0.14.0 or later, which includes the necessary security fixes. If upgrading immediately is not feasible, consider restricting the allowed model repositories to trusted sources only. Implement strict input validation on model paths to prevent attackers from specifying arbitrary locations. While not a complete solution, enabling a Web Application Firewall (WAF) with rules to detect and block suspicious code execution attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to load a known malicious model and verifying that the code execution is blocked.
Actualice vLLM a la versión 0.14.0 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al cargar modelos con código malicioso. Asegúrese de que la instalación se realiza desde una fuente confiable.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22807 is a Remote Code Execution vulnerability in vLLM versions up to 0.13.0, allowing attackers to execute code during model loading.
You are affected if you are using vLLM versions 0.13.0 or earlier and load models from untrusted sources.
Upgrade vLLM to version 0.14.0 or later. Restrict model repository access to trusted sources as an interim measure.
There is currently no public evidence of active exploitation, but the vulnerability's impact warrants immediate remediation.
Refer to the vLLM project's official security advisories and release notes on their GitHub repository or website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.