{"id":"PYSEC-2026-2010","summary":"vLLM affected by RCE via auto_map dynamic module loading during model initialization","details":"# Summary\n\nvLLM loads Hugging Face `auto_map` dynamic modules during model resolution **without gating on `trust_remote_code`**, allowing attacker-controlled Python code in a model repo/path to execute at server startup.\n\n---\n\n# Impact\n\nAn attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve **arbitrary code execution** on the vLLM host during model load.  \nThis happens **before any request handling** and does **not require API access**.\n\n---\n\n# Affected Versions\n\nAll versions where `vllm/model_executor/models/registry.py` resolves `auto_map` entries with `try_get_class_from_dynamic_module` **without checking `trust_remote_code`** (at least current `main`).\n\n---\n\n# Details\n\nDuring model resolution, vLLM unconditionally iterates `auto_map` entries from the model config and calls `try_get_class_from_dynamic_module`, which delegates to Transformers’ `get_class_from_dynamic_module` and **executes the module code**.\n\nThis occurs even when `trust_remote_code` is `false`, allowing a malicious model repo to embed code in a referenced module and have it executed during initialization.\n\n### Relevant code\n\n- `vllm/model_executor/models/registry.py:856` — auto_map resolution  \n- `vllm/transformers_utils/dynamic_module.py:13` — delegates to `get_class_from_dynamic_module`, which executes code\n\n---\n\n# Fixes\n\n* https://github.com/vllm-project/vllm/pull/32194\n\n# Credits\n\nReported by **bugbunny.ai**","aliases":["CVE-2026-22807","GHSA-2pc9-4j83-qjmr"],"modified":"2026-07-07T17:47:19.616561721Z","published":"2026-07-07T16:03:19.426478Z","references":[{"type":"WEB","url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22807"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/pull/32194"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5"},{"type":"PACKAGE","url":"https://github.com/vllm-project/vllm"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/releases/tag/v0.14.0"},{"type":"PACKAGE","url":"https://pypi.org/project/vllm"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2pc9-4j83-qjmr"}],"affected":[{"package":{"name":"vllm","ecosystem":"PyPI","purl":"pkg:pypi/vllm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.10.1"},{"fixed":"0.14.0"}]}],"versions":["0.10.1","0.10.1.1","0.10.2","0.11.0","0.11.1","0.11.2","0.12.0","0.13.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2026-2010.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}