External risk intelligence

vLLM Dynamic Module Loading Vulnerability Allows Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-22807

vLLM is an inference and serving engine often deployed as a web service or API endpoint to host LLMs. While these services can be internet-facing, they are frequently deployed within internal networks, private cloud environments, or behind API gateways to serve internal applications, making broad public internet exposure common but not strictly required for the product's primary function.

Code Injection

Vllm

0.10.1 to before 0.14.0

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the vLLM large language model engine that could allow attackers to execute arbitrary code on the server when a model is loaded. This occurs due to the engine loading external code without proper security checks, potentially impacting systems that host LLMs. The main concern is confirming relevance and exposure.

  • Allows arbitrary code execution on server startup.
  • Important for systems using LLM inference engines.
  • Confirm if your LLM engine is affected.

Attack Path

How an attacker could exploit the issue

An attacker can gain control of a vLLM server by influencing the model repository or path used to load large language models. This vulnerability allows arbitrary Python code to execute on the server when it starts up, even before it begins processing requests, and without requiring any authentication or API access.

  • Attacker controls model repository.
  • Server loads dynamic code without checks.
  • Arbitrary code execution on host.

Live Threat

Current exploitation, exposure, and threat context

When vLLM loads models from an attacker-controlled source during startup, it could execute arbitrary code on the host system. This vulnerability occurs before any request is processed and does not require user interaction or API access, potentially impacting the integrity and availability of the vLLM host.

  • System code execution on the host.
  • Attacker-controlled model loading.
  • Complete host compromise possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vLLM inference engine is susceptible to arbitrary code execution if it loads models from a compromised repository during startup. This vulnerability affects versions 0.10.1 through 0.13.x, allowing attackers to achieve code execution before any requests are processed, requiring no API access. Teams responsible for managing AI/ML infrastructure or custom model deployments should prioritize identifying all instances of vLLM, assessing their exposure to untrusted model sources, and planning immediate remediation.

  • Application owners should own remediation efforts.
  • Verify model source trust and vLLM deployment reachability.
  • Plan for update or mitigation during the next maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is vLLM and how is it used?

vLLM is an open-source software engine designed to serve and run large language models efficiently. It acts as the infrastructure layer that developers use to power AI applications, enabling high-throughput model inference. Because it manages complex model loading processes, it is a critical component in AI/ML production stacks where performance and model scalability are prioritized.

What does CVE-2026-22807 mean for vLLM security?

This vulnerability is classified as Improper Neutralization of Special Elements used in an OS Command, or CWE-94. It means the software insecurely processes dynamic code instructions found within model files. Instead of safely isolating the model, the engine automatically executes custom Python code hidden in a model path, granting an attacker the ability to run unauthorized commands directly on the host server.

How is this vulnerability triggered?

The trigger occurs during the model loading phase at server startup. An attacker influences the software to point toward a malicious or compromised model repository. Crucially, the vulnerability does not require any interaction with the service's API or valid authentication to trigger; the system executes the hidden code simply by attempting to load the target model.

How do I know if my vLLM installation is at risk?

According to Halo Surface Signal, while vLLM is often used for internal services, its role as an inference engine frequently leads to internet-facing deployments. You should consider your system at higher risk if your environment allows model loading from external or untrusted sources. Audit your infrastructure to determine if your vLLM instances are reachable from outside your protected network perimeter.

What is the recommended response to this vulnerability?

If you are running any vLLM version from 0.10.1 up to 0.13.x, you should prioritize updating to version 0.14.0 or later, which includes the necessary security fixes. While planning your update, verify the integrity of all model repositories you currently use and restrict the ability of your services to load models from untrusted or unverified locations.

References