GHSA-7972-PG2X-XR59
Vulnerability from github – Published: 2026-03-27 15:27 – Updated: 2026-03-27 15:27Summary
Two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.
### Details
Affected files (latest main branch):
vllm/model_executor/models/nemotron_vl.py:430```python vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)
2. vllm/model_executor/models/kimi_k25.py:177
```python
cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting.
Relation to prior CVEs: - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path) - CVE-2026-22807 fixed broader auto_map at startup - Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths.
Impact
Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee that trust_remote_code=False is intended to provide.
Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.1"
},
{
"fixed": "0.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27893"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T15:27:20Z",
"nvd_published_at": "2026-03-27T00:16:22Z",
"severity": "HIGH"
},
"details": "### Summary\n\n Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user\u0027s explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model\n repositories even when the user has explicitly disabled remote code trust.\n\n ### Details\n\n **Affected files (latest main branch):**\n\n 1. `vllm/model_executor/models/nemotron_vl.py:430`\n ```python\n vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)\n```\n\n 2. vllm/model_executor/models/kimi_k25.py:177\n \n```python\n cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)\n```\n\n Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user\u0027s global --trust-remote-code=False setting.\n\n Relation to prior CVEs:\n - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path)\n - CVE-2026-22807 fixed broader auto_map at startup\n - Both fixes are present in the current code. These hardcoded instances in model files survived both patches \u2014 different code paths.\n\n### Impact\n\n Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee\n that trust_remote_code=False is intended to provide.\n\n Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn\u0027t opted in.",
"id": "GHSA-7972-pg2x-xr59",
"modified": "2026-03-27T15:27:20Z",
"published": "2026-03-27T15:27:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27893"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/36192"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.