CVE-2026-4944

Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control

Assigner: @huntr_ai
Reserved: 26.03.2026 Published: 28.05.2026 Updated: 28.05.2026

vllm-project/vllm version 0.14.1 contains a vulnerability where the trust_remote_code=True parameter is hardcoded in two model implementation files (vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py). This bypasses the user's explicit --trust-remote-code=False setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.0

Product Status

Vendor	vllm-project
Product	vllm-project/vllm
Versions	affected from unspecified to latest (incl.)

Vendor

vllm-project

Product

vllm-project/vllm

Versions

affected from unspecified to latest (incl.)

References

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

CVE-2026-4944 PUBLISHED

Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control

Metrics

Product Status

References

Problem Types