CVE-2026-54232
Received Received - Intake
Dependency Confusion in vLLM Docker Image

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54232
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability affects vLLM, an inference and serving engine for large language models, specifically versions prior to 0.22.1. The issue arises from a dependency confusion attack involving the flashinfer-jit-cache package. This package is installed from a custom index but was not registered on the official PyPI repository. Because the global setting UV_INDEX_STRATEGY="unsafe-best-match" is enabled, an attacker can register a malicious version of flashinfer-jit-cache on PyPI. During the Docker build process, this malicious package can execute arbitrary code as root, compromising the container images.

This attack allows the attacker to backdoor every resulting container image, potentially leading to exfiltration of sensitive data such as user prompts, API credentials, and model data from production vLLM deployments. The vulnerability was fixed in version 0.22.1.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of code with root privileges during the Docker build process. An attacker can implant backdoors in container images, which compromises the security and integrity of your deployments.

  • Exfiltration of all user prompts
  • Theft of API credentials
  • Exposure of model data from production vLLM deployments
Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.22.1 or later, where the issue has been fixed.

Avoid using the vulnerable Dockerfile versions prior to 0.22.1 that install the flashinfer-jit-cache package from an untrusted custom index with unsafe index strategy settings.

Ensure that package installations do not rely on unregistered or unverified packages from custom indexes to prevent dependency confusion attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart