CVE-2026-27893

HIGH8.8EPSS 0.05%

vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out

發布日:2026/3/27修改日:2026/3/30

描述

### Summary Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. ### Details **Affected files (latest main branch):** 1. `vllm/model_executor/models/nemotron_vl.py:430` ```python vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True) ``` 2. vllm/model_executor/models/kimi_k25.py:177 ```python cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True) ``` Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting. Relation to prior CVEs: - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path) - CVE-2026-22807 fixed broader auto_map at startup - Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths. ### Impact Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee that trust_remote_code=False is intended to provide. Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.

受影響套件(1)

PyPI/vllm>= 0.10.1, < 0.18.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

描述

受影響套件(1)

CVSS 分數

參考連結(5)