High severityNVD Advisory· Published Mar 26, 2026· Updated Mar 27, 2026
vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out
CVE-2026-27893
Description
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vllmPyPI | >= 0.10.1, < 0.18.0 | 0.18.0 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/chainguard/vllm-openai-cuda-12.9pkg:pypi/vllm
< 0.18.1-r0+ 4 more
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 25.11-r7
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: >= 0.10.1, < 0.18.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7972-pg2x-xr59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27893ghsaADVISORY
- github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72ghsax_refsource_MISCWEB
- github.com/vllm-project/vllm/pull/36192ghsax_refsource_MISCWEB
- github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.