CVE-2026-4944
Deferred Deferred - Pending Action
Hardcoded Trust Remote Code in vLLM

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: huntr.dev

Description
vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-4944
EUVD
EUVD-2026-32979
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vllm-project vllm 0.14.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in vllm-project/vllm version 0.14.1 where the parameter `trust_remote_code=True` is hardcoded in two model implementation files: `vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`.

This hardcoding bypasses the user's explicit setting of `--trust-remote-code=False`, which normally would prevent execution of remote code.

As a result, it enables remote code execution through malicious HuggingFace model repositories when loading these specific models.

This issue is an incomplete fix for previous vulnerabilities CVE-2025-66448 and CVE-2026-22807, affecting separate code paths in the model implementation files.

Deployments that load NemotronVL or KimiK25 models are particularly impacted by this vulnerability.

Impact Analysis

This vulnerability can lead to remote code execution on systems running vllm-project/vllm version 0.14.1 when loading NemotronVL or KimiK25 models.

An attacker could exploit malicious HuggingFace model repositories to execute arbitrary code remotely, potentially compromising the affected system.

The impact includes full confidentiality, integrity, and availability loss as indicated by the CVSS score (8.8), meaning attackers could steal data, modify or delete information, or disrupt system operations.

Mitigation Strategies

To mitigate this vulnerability, avoid deploying or loading NemotronVL or KimiK25 models in your vllm-project vllm version 0.14.1 environment, as these models contain the hardcoded `trust_remote_code=True` parameter that enables remote code execution.

Additionally, do not rely on the `--trust-remote-code=False` setting alone, since it is bypassed in these model implementation files. Consider updating to a version of vllm that addresses this issue once available.

Compliance Impact

This vulnerability allows remote code execution by bypassing user settings, which can lead to unauthorized access and control over affected systems.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data security and privacy.

However, specific effects on compliance are not detailed in the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart