GHSA-7972-pg2x-xr59

Source

https://github.com/advisories/GHSA-7972-pg2x-xr59

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7972-pg2x-xr59/GHSA-7972-pg2x-xr59.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7972-pg2x-xr59

Aliases

CVE-2026-27893

Related

CGA-75vr-gg7v-gj3v

Published

2026-03-27T15:27:20Z

Modified

2026-03-30T20:29:19.856667Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out

Details

Summary

Two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust.

### Details

Affected files (latest main branch):

vllm/model_executor/models/nemotron_vl.py:430 ```python visionmodel = AutoModel.fromconfig(config.visionconfig, trustremote_code=True)
```
  2. vllm/model_executor/models/kimi_k25.py:177

```python
  cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)
```
Both pass a hardcoded trustremotecode=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting.

Relation to prior CVEs:

CVE-2025-66448 fixed automap resolution in vllm/transformersutils/config.py (config loading path)
CVE-2026-22807 fixed broader auto_map at startup
Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths.

Impact

Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee that trustremotecode=False is intended to provide.

Remediation: Replace hardcoded trustremotecode=True with self.config.modelconfig.trustremote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-693"
    ],
    "nvd_published_at": "2026-03-27T00:16:22Z",
    "github_reviewed_at": "2026-03-27T15:27:20Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / vllm

Package

Name: vllm; View open source insights on deps.dev
Purl: pkg:pypi/vllm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.10.1

Fixed

0.18.0

Affected versions

0.*

0.10.1

0.10.1.1

0.10.2

0.11.0

0.11.1

0.11.2

0.12.0

0.13.0

0.14.0

0.14.1

0.15.0

0.15.1

0.16.0

0.17.0

0.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7972-pg2x-xr59/GHSA-7972-pg2x-xr59.json"