CVE-2026-4944
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
vllm-project/vllm version 0.14.1 contains a vulnerability where the trust_remote_code=True parameter is hardcoded in two model implementation files (vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py). This bypasses the user's explicit --trust-remote-code=False setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vllm-project | vllm-project/vllm | unspecified <= latest | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.