Publish GHSA-7972-pg2x-xr59

advisory-database[bot] · advisory-database[bot] · commit 87d41fba44af · 2026-03-27T15:28:56.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-7972-pg2x-xr59/GHSA-7972-pg2x-xr59.json b/advisories/github-reviewed/2026/03/GHSA-7972-pg2x-xr59/GHSA-7972-pg2x-xr59.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7972-pg2x-xr59",
+  "modified": "2026-03-27T15:27:20Z",
+  "published": "2026-03-27T15:27:20Z",
+  "aliases": [
+    "CVE-2026-27893"
+  ],
+  "summary": "vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out",
+  "details": "### Summary\n\n  Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model\n  repositories even when the user has explicitly disabled remote code trust.\n\n  ### Details\n\n  **Affected files (latest main branch):**\n\n  1. `vllm/model_executor/models/nemotron_vl.py:430`\n  ```python\n  vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)\n```\n\n  2. vllm/model_executor/models/kimi_k25.py:177\n \n```python\n  cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)\n```\n\n  Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting.\n\n  Relation to prior CVEs:\n  - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path)\n  - CVE-2026-22807 fixed broader auto_map at startup\n  - Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths.\n\n### Impact\n\n  Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee\n  that trust_remote_code=False is intended to provide.\n\n  Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "vllm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.10.1"
+            },
+            {
+              "fixed": "0.18.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27893"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/pull/36192"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vllm-project/vllm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T15:27:20Z",
+    "nvd_published_at": "2026-03-27T00:16:22Z"
+  }
+}
