CVE-2026-4944

Vulnerability

The vulnerability exists in vllm-project/vllm version 0.14.1, where the trust_remote_code=True parameter is hardcoded in two model implementation files: vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py. This bypasses the user's explicit --trust-remote-code=False configuration, leading to remote code execution when loading models from HuggingFace repositories. This is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, affecting separate code paths. [1]

Exploitation

An attacker can craft a malicious HuggingFace model repository that, when loaded by a vllm deployment using the affected model files, executes arbitrary code. The attacker needs to host a malicious model on HuggingFace and trick the victim into loading it (or compromise a repository the victim trusts). No additional authentication is required beyond accessing the model. The hardcoded trust_remote_code=True means the user's command-line flag is ignored, so even if the user sets --trust-remote-code=False, the exploit succeeds. [1]

Impact

Successful exploitation results in remote code execution on the server running vllm. The attacker gains the ability to execute arbitrary commands with the privileges of the vllm process, leading to full compromise of the affected system. This includes disclosure of sensitive data, modification of files, and further lateral movement within the network. [1]

Mitigation

As of the publication date (2026-05-28), no fixed version is mentioned in the available reference. Users should avoid deploying vllm 0.14.1 with models that use the affected NemotronVL or KimiK25 implementations until a patch is released. Workarounds include using alternative models not relying on these files, or manually auditing and modifying the source code to respect the --trust-remote-code flag. The vulnerability is not listed in KEV as of now. [1]