vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out
Summary
| CVE | CVE-2026-27893 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-27 00:16:22 UTC |
| Updated | 2026-07-10 12:16:37 UTC |
| Description | vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.013640000 probability, percentile 0.685560000 (date 2026-07-12)
Problem Types: CWE-693 | CWE-501 | CWE-693 CWE-693: Protection Mechanism Failure | CWE-501 Trust Boundary Violation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Vllm-project | Vllm | affected >= 0.10.1, < 0.18.0 | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.25 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/vllm-project/vllm/pull/36192 | [email protected] | github.com | Issue Tracking |
| access.redhat.com/security/cve/CVE-2026-27893 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24977 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8747 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27893.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19725 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011a... | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:10140 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10141 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19724 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8746 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8748 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19712 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59 | [email protected] | github.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-27T00:01:43.935Z | Reported to Red Hat. |
| ADP | 2026-03-26T23:56:53.579Z | Made public. |
Solutions
ADP: RHSA-2026:19724: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:19725: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:8748: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:8746: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:8747: Red Hat AI Inference Server 3.3
ADP: RHSA-2026:10140: Red Hat Enterprise Linux AI 3.3
ADP: RHSA-2026:10141: Red Hat Enterprise Linux AI 3.3
ADP: RHSA-2026:24977: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:19712: Red Hat OpenShift AI 3.3
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.