CVE-2026-54232
Analyzed Analyzed - Analysis Complete

Dependency Confusion in vLLM Docker Image

Vulnerability report for CVE-2026-54232, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vllm vllm to 0.22.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability affects vLLM, an inference and serving engine for large language models, specifically versions prior to 0.22.1. The issue arises from a dependency confusion attack involving the flashinfer-jit-cache package. This package is installed from a custom index but was not registered on the official PyPI repository. Because the global setting UV_INDEX_STRATEGY="unsafe-best-match" is enabled, an attacker can register a malicious version of flashinfer-jit-cache on PyPI. During the Docker build process, this malicious package can execute arbitrary code as root, compromising the container images.

This attack allows the attacker to backdoor every resulting container image, potentially leading to exfiltration of sensitive data such as user prompts, API credentials, and model data from production vLLM deployments. The vulnerability was fixed in version 0.22.1.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of code with root privileges during the Docker build process. An attacker can implant backdoors in container images, which compromises the security and integrity of your deployments.

  • Exfiltration of all user prompts
  • Theft of API credentials
  • Exposure of model data from production vLLM deployments
Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.22.1 or later, where the issue has been fixed.

Avoid using the vulnerable Dockerfile versions prior to 0.22.1 that install the flashinfer-jit-cache package from an untrusted custom index with unsafe index strategy settings.

Ensure that package installations do not rely on unregistered or unverified packages from custom indexes to prevent dependency confusion attacks.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code as root during the Docker build process, potentially backdooring container images. This can lead to exfiltration of all user prompts, API credentials, and model data from production vLLM deployments.

Such unauthorized access and data exfiltration could result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data and failing to maintain adequate security controls.

Detection Guidance

To detect the CVE-2026-54232 vulnerability on your system, you should check the version of the vLLM Docker images you are using. Versions prior to 0.22.1 are vulnerable.

You can inspect your Docker images to see if they were built with a vulnerable version of the vLLM Dockerfile by checking the image tags or labels.

Additionally, you can look for the presence of the flashinfer-jit-cache package installed from PyPI instead of the custom index, which indicates a potential compromise.

  • Run `docker images` to list your Docker images and check their tags for vLLM versions.
  • Use `docker history <image_name>:<tag>` to inspect the build steps of the image and verify if the flashinfer-jit-cache package was installed.
  • Check installed Python packages inside a running container with `docker run --rm <image_name>:<tag> pip show flashinfer-jit-cache` to verify the source and version.
  • Monitor network traffic for unexpected outbound connections that could indicate exfiltration of data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart