HIGH 8.8

CVE-2026-4944: vLLM Remote Code Execution via Hardcoded trust_remote_code Bypass

vLLM version 0.14.1 contains a critical vulnerability in its model loading mechanism that forces remote code execution to be enabled, regardless of user security settings. Specifically, two model implementation files (NemotronVL and KimiK25) have hardcoded parameters that override a user's explicit decision to disable remote code execution. An attacker can exploit this by hosting a malicious model on HuggingFace and triggering code execution on systems that load these specific models, even when administrators thought they had disabled this risky feature.

Source data · NVD / CISA · public domain

CVSS
3.0 · 8.8 HIGH · CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from hardcoded `trust_remote_code=True` parameters in vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py. These hardcoded settings bypass the user-supplied `--trust-remote-code=False` command-line argument and configuration options, creating a security control bypass. When vLLM loads a NemotronVL or KimiK25 model from HuggingFace, it will execute arbitrary Python code embedded in that model repository without respecting the user's intent to prevent remote code execution. This is particularly dangerous because HuggingFace model repositories can contain arbitrary Python files that execute during model loading. The issue represents an incomplete remediation of prior remote code execution vulnerabilities (CVE-2025-66448 and CVE-2026-22807), indicating that the initial fix did not account for all code paths where this parameter is set.

Business impact

Organizations using vLLM 0.14.1 to serve NemotronVL or KimiK25 models face direct remote code execution risk. An attacker can compromise model-serving infrastructure by hosting a weaponized model on HuggingFace and waiting for or manipulating a target organization into loading it. This is particularly serious for: (1) production inference pipelines where vLLM serves models to external or internal users; (2) environments where security teams have explicitly configured `--trust-remote-code=False` as a defense-in-depth measure; (3) multi-tenant deployments where model selection might be partially user-controlled. Successful exploitation grants the attacker the privileges of the vLLM process, typically enabling lateral movement, data exfiltration, and system compromise.

Affected systems

vLLM version 0.14.1 is vulnerable. The impact is specific to deployments that load NemotronVL or KimiK25 models from HuggingFace. Other vLLM deployments and model types are not directly affected by this specific vulnerability, though organizations should verify their model implementation files are not similarly affected. Users running earlier or later versions should verify patch status against the vendor advisory. Both on-premises and cloud-hosted vLLM instances running the vulnerable version are at risk if they attempt to load either of these model architectures.

Exploitability

This vulnerability has a CVSS 3.0 score of 8.8 (HIGH) with a network-accessible attack vector, no privilege requirements, and no user interaction needed beyond loading a model. However, practical exploitation requires: (1) a target organization to load a NemotronVL or KimiK25 model from HuggingFace; (2) either the attacker to host a malicious model repository or compromise an existing one; (3) knowledge that the target will load a specific model. While the technical bar is low, the attack assumes some alignment between attacker capability and target model selection. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the design (hardcoded parameter override) is straightforward to weaponize.

Remediation

Upgrade vLLM to a patched version that removes the hardcoded `trust_remote_code=True` parameters from both model implementation files. Verify the patch version against the vendor's official advisory. Until patching is possible, restrict model loading to NemotronVL and KimiK25 architectures, use air-gapped or internally-mirrored model repositories instead of direct HuggingFace access, and run vLLM with minimal process privileges. Additionally, monitor HuggingFace access logs and model loading events for unexpected model repositories or versions.

Patch guidance

Check the vLLM project repository and official release notes for versions after 0.14.1 that address this issue. The patch should remove hardcoded `trust_remote_code=True` from vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py, allowing user settings to take precedence. Test the patched version in a non-production environment before rollout, particularly focusing on NemotronVL and KimiK25 model loading with `--trust-remote-code=False` to confirm the setting is respected. Coordinate with teams managing ML pipelines to ensure model loading workflows are updated if necessary.

Detection guidance

Monitor vLLM process logs and system audit trails for model loading events, especially those involving NemotronVL or KimiK25 models. Check for unexpected Python code execution or subprocess launches during model initialization. Network monitoring can detect unusual HuggingFace repository access or downloads from non-standard sources. Review vLLM configuration files and command-line arguments to identify any instances where `--trust-remote-code=False` is set but should be enforced. Implement alerting on changes to model repositories or loading of models from new or untrusted HuggingFace accounts.

Why prioritize this

Assign this vulnerability HIGH priority because: (1) the CVSS score is 8.8, reflecting high confidentiality, integrity, and availability impact; (2) it directly bypasses a security control that administrators explicitly configured; (3) the attack surface is the internet (HuggingFace); (4) exploitation requires only network access and knowledge of target model usage; (5) successful exploitation grants full code execution on inference infrastructure. However, it is not CRITICAL because exploitation requires a specific model architecture to be loaded. Organizations using NemotronVL or KimiK25 should treat this as urgent; others should prioritize based on whether they might load these models in future deployments.

Risk score, explained

The CVSS 3.0 score of 8.8 reflects: (1) Network attack vector (AV:N) — the vulnerability is reachable over the internet via HuggingFace model repositories; (2) Low attack complexity (AC:L) — no special conditions required beyond model loading; (3) No privilege requirements (PR:N) — attacker does not need pre-existing access; (4) User interaction (UI:R) — the target organization must choose to load the malicious model, though in practice this is a weak control; (5) High impact across confidentiality, integrity, and availability (C:H/I:H/A:H) — arbitrary code execution grants all three. The severity is HIGH rather than CRITICAL primarily because the attack is gated on specific model architectures and active model loading decisions, not because the security outcome is less severe.

Frequently asked questions

Does this affect all vLLM deployments?

No. Only vLLM 0.14.1 deployments that load NemotronVL or KimiK25 models are directly vulnerable. Other model architectures are unaffected by this specific issue. However, organizations should audit their model implementation files for similar hardcoded parameters as a precaution.

What does 'trust_remote_code' control?

The `trust_remote_code` parameter controls whether vLLM will execute arbitrary Python code found in a HuggingFace model repository during model loading. When set to False, vLLM should refuse to load or execute such code. This vulnerability bypasses that refusal for two specific models, enabling remote code execution even when explicitly disabled.

Can we work around this without patching?

Partial mitigations include: restricting model loading to NemotronVL and KimiK25 only if they are not used, running vLLM with minimal process privileges, using internal model mirrors instead of direct HuggingFace access, and monitoring for unexpected model repository access. However, these are not substitutes for patching and do not eliminate the vulnerability for organizations that actively use these model architectures.

Is this vulnerability actively exploited?

As of the current date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the technical design (hardcoded parameter override) is straightforward to weaponize, and attackers monitoring the vLLM project may develop exploits following public disclosure.

This analysis is provided for informational purposes based on the vulnerability disclosure and public information available as of the publication date. Security assessments should be tailored to your specific environment and risk profile. Verify all patch versions and remediation steps against official vendor advisories before implementation. The absence of public exploit code does not guarantee that exploitation will not occur, and the absence of KEV listing does not reduce the severity of this vulnerability. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).