プラットフォーム
python
コンポーネント
vllm
修正版
0.10.2
0.14.0
CVE-2026-22807 is a Remote Code Execution (RCE) vulnerability affecting vLLM, a fast LLM inference and serving engine, versions up to 0.13.0. This vulnerability allows an attacker to execute arbitrary code on the vLLM host during model loading, potentially leading to complete system compromise. The vulnerability stems from vLLM's handling of Hugging Face auto_map dynamic modules without proper security gating. A fix is available in version 0.14.0.
The impact of CVE-2026-22807 is severe. An attacker who can control the model repository or local path used by vLLM can inject malicious Python code. This code will execute during the model loading process, before any API requests are handled. Critically, this means the attacker does not need API access to exploit the vulnerability. The attacker could install malware, steal sensitive data, or establish a persistent backdoor on the vLLM server. This vulnerability shares similarities with other remote code execution flaws where untrusted code is loaded and executed without proper validation, potentially allowing for complete system takeover.
CVE-2026-22807 was publicly disclosed on January 21, 2026. The vulnerability is present in the vllm/modelexecutor/models/registry.py file, which resolves automap. There is currently no indication of this vulnerability being actively exploited in the wild, but the ease of exploitation and the potential impact warrant immediate attention. The EPSS score is likely to be medium, given the public disclosure and the relatively straightforward exploitation path. No KEV listing is currently available.
Organizations deploying vLLM for LLM inference and serving are at risk, particularly those using untrusted or publicly accessible Hugging Face model repositories. Environments where vLLM is used for sensitive workloads or integrated with other critical systems face the highest risk. Shared hosting environments where multiple users can influence model paths are also particularly vulnerable.
• python / server:
import os
import subprocess
def check_vllm_version():
try:
result = subprocess.check_output(['vllm', '--version'], stderr=subprocess.STDOUT, text=True)
version = result.strip()
if version.startswith('0.13.'):
print(f"vLLM version is vulnerable: {version}")
else:
print(f"vLLM version is not vulnerable: {version}")
except FileNotFoundError:
print("vLLM not found.")
except subprocess.CalledProcessError as e:
print(f"Error checking vLLM version: {e}")
check_vllm_version()• python / supply-chain: Monitor Hugging Face model repositories for suspicious code or unusual file modifications. • generic web: Inspect vLLM server logs for errors related to model loading or unexpected code execution.
disclosure
patch
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-22807 is to upgrade vLLM to version 0.14.0 or later, which includes the necessary security fixes. If upgrading immediately is not feasible, consider restricting the allowed model repositories to trusted sources only. Implement strict input validation on model paths to prevent attackers from specifying arbitrary locations. While not a complete solution, enabling a Web Application Firewall (WAF) with rules to detect and block suspicious code execution attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to load a known malicious model and verifying that the code execution is blocked.
Actualice vLLM a la versión 0.14.0 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al cargar modelos con código malicioso. Asegúrese de que la instalación se realiza desde una fuente confiable.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-22807 is a Remote Code Execution vulnerability in vLLM versions up to 0.13.0, allowing attackers to execute code during model loading.
You are affected if you are using vLLM versions 0.13.0 or earlier and load models from untrusted sources.
Upgrade vLLM to version 0.14.0 or later. Restrict model repository access to trusted sources as an interim measure.
There is currently no public evidence of active exploitation, but the vulnerability's impact warrants immediate remediation.
Refer to the vLLM project's official security advisories and release notes on their GitHub repository or website.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。