CVE-2026-47155
Analyzed Analyzed - Analysis Complete

Supply Chain Integrity Flaw in vLLM

Vulnerability report for CVE-2026-47155, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vllm vllm to 0.22.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in vLLM prior to version 0.22.0 involves its revision pinning controls not consistently applying to all artifacts loaded for a model. This means that even if a deployment specifies a particular model revision using --revision or --code-revision, vLLM can still load dynamic code, GGUF files, image processors, retrieval side weights, or subfolder weights/configurations from an unpinned or default revision.

As a result, operators might believe they are serving a reviewed and fixed model revision, but vLLM could be using nested or sibling artifacts from outside that reviewed revision, leading to a supply-chain integrity issue.

This vulnerability was fixed in version 0.22.0 of vLLM.

Impact Analysis

This vulnerability can impact you by undermining the integrity of the model deployment. Even if you specify a particular model revision, the system might load unreviewed or unintended artifacts, which can alter the model's behavior.

This can lead to unexpected or incorrect model outputs, potentially causing reliability and trust issues in applications relying on the model.

Since the issue is related to supply-chain integrity, it could also expose the deployment to risks from malicious or compromised artifacts being loaded without the operator's knowledge.

Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.22.0 or later, where the issue with revision pinning controls has been fixed.

Compliance Impact

This vulnerability in vLLM affects supply-chain integrity by allowing deployments that are supposed to be pinned to a specific model revision to load unpinned or default revisions of dynamic code, weights, and processors. This can lead to unauthorized or unexpected changes in model behavior and data processing.

Such integrity issues can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data processing and system integrity to protect personal and sensitive information. If a system unknowingly uses unreviewed or altered model components, it may violate requirements for data authenticity, integrity, and auditability.

Therefore, this vulnerability could undermine assurances needed for regulatory compliance by allowing unauthorized modifications to the model artifacts that process data, potentially leading to data integrity and confidentiality risks.

Detection Guidance

This vulnerability involves vLLM versions prior to 0.22.0 where revision pinning does not consistently apply to all artifacts loaded for a model, potentially causing unpinned or default revisions to be used. Detection would involve verifying the version of vLLM deployed and checking if the model loading process respects the --revision or --code-revision flags for all artifacts.

To detect if your system is affected, first confirm the vLLM version by running a command such as:

  • python -m pip show vllm

If the version is earlier than 0.22.0, your deployment may be vulnerable. Additionally, you can inspect the model loading logs or debug output to verify whether all artifacts (dynamic code, GGUF files, image processors, retrieval side weights, subfolder weights/config) are being loaded with the specified revision.

Since the vulnerability is related to inconsistent propagation of revision pins, you might also check the command line or configuration used to launch vLLM for the presence of --revision or --code-revision flags.

There are no specific network or system commands provided in the resources to detect this vulnerability automatically, so manual verification of version and configuration is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart