0.10.2
0.18.0
CVE-2026-27893 describes a Remote Code Execution (RCE) vulnerability affecting vllm versions up to 0.17.1. This vulnerability arises from the hardcoding of trustremotecode=True within specific model implementation files, effectively bypassing user-configured security opt-outs. Successful exploitation allows attackers to execute arbitrary code via malicious model repositories, even when users have explicitly disabled remote code trust. A fix is available in vllm 0.18.0.
The primary impact of CVE-2026-27893 is the potential for remote code execution. An attacker could craft a malicious model repository and, by enticing a vllm user to load it, execute arbitrary code on the system running vllm. This could lead to complete system compromise, data exfiltration, or denial of service. The hardcoded trustremotecode=True setting circumvents the intended security mechanism, making exploitation significantly easier. This vulnerability is particularly concerning as it allows for code execution even when the user has explicitly disabled remote code trust, a common security best practice. The blast radius extends to any system running a vulnerable version of vllm and loading models from untrusted sources.
CVE-2026-27893 was publicly disclosed on 2026-03-27. The vulnerability's ease of exploitation, combined with the widespread use of vllm, suggests a potential for active exploitation. There are currently no known public proof-of-concept exploits, but the vulnerability's nature makes it likely that one will emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27893 is to upgrade to vllm version 0.18.0 or later, which resolves the hardcoded trustremotecode=True setting. If upgrading is not immediately feasible, consider restricting model loading to trusted sources only. Implement strict input validation and sanitization for any model-related data. As a temporary workaround, consider running vllm within a sandboxed environment to limit the potential impact of successful exploitation. Monitor system logs for any unusual activity related to model loading or execution. After upgrading, confirm the fix by attempting to load a known malicious model repository (in a safe, isolated environment) and verifying that the code execution is blocked.
Update vLLM to version 0.18.0 or higher. This corrects the vulnerability that allows remote code execution when loading models with `trust_remote_code=True` even when the user has explicitly disabled remote code trust.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27893 is a Remote Code Execution vulnerability in vllm versions up to 0.17.1. It allows attackers to execute code via malicious model repositories due to hardcoded trust settings.
If you are using vllm version 0.17.1 or earlier, you are affected by this vulnerability. Check your version using pip show vllm.
Upgrade to vllm version 0.18.0 or later. This resolves the hardcoded trust setting and mitigates the vulnerability.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the vllm project's official security advisories and release notes on their GitHub repository: [https://github.com/vllm-project/vllm](https://github.com/vllm-project/vllm)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.