CVE-2026-27893
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
Description
### Summary Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. ### Details **Affected files (latest main branch):** 1. `vllm/model_executor/models/nemotron_vl.py:430` ```python vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True) ``` 2. vllm/model_executor/models/kimi_k25.py:177 ```python cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True) ``` Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting. Relation to prior CVEs: - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path) - CVE-2026-22807 fixed broader auto_map at startup - Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths. ### Impact Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee that trust_remote_code=False is intended to provide. Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.
How to fix CVE-2026-27893
To remediate CVE-2026-27893, upgrade the affected package to a fixed version below.
- —upgrade to 0.18.0 or later
Is CVE-2026-27893 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.