AI Navigate
インサイト最新記事一覧AI大全

vLLM CVE-2026-27893, `--trust-remote-code=False` is silently ignored for Nemotron-VL and Kimi-K25 models

Reddit r/LocalLLaMA / 3/30/2026

📰 NewsDeveloper Stack & InfrastructureSignals & Early Trends
Read original →
共有:

Key Points

  • vLLM is affected by CVE-2026-27893, where `--trust-remote-code=False` is silently ignored because Nemotron-VL and Kimi-K25 model files hardcode `trust_remote_code=True`.
  • This misconfiguration enables a malicious Hugging Face repository to achieve code execution on the inference server without warnings or log entries.
  • The issue impacts vLLM versions 0.10.1 through 0.17.x, while vLLM 0.18.0 reportedly includes the fix.
  • The advisory notes this is the third occurrence of the same vulnerability class in vLLM, but it manifests through different code paths each time.
Two vLLM model files hardcode `trust_remote_code=True`, overriding an explicit `False` setting with no warning or log entry. A malicious Hugging Face repository targeting either architecture can achieve code execution on the inference server. This is the third time the same vulnerability class has surfaced in vLLM, but in a different code path each time. Versions 0.10.1 through 0.17.x are affected; 0.18.0 contains the fix.

Detailed analysis: https://raxe.ai/labs/advisories/RAXE-2026-044
CVE : https://nvd.nist.gov/vuln/detail/CVE-2026-27893

submitted by /u/cyberamyntas
[link] [comments]

💡 Insights using this article

This article is featured in our daily AI news digest — key takeaways and action items at a glance.

📅 3/30DailyView insight →

関連おすすめサービス

※当サイトはアフィリエイト広告を利用しています
🎧

Notta搭載AI議事録イヤホン ZENCHORD1

AI時代の仕事術。Notta搭載で会議の議事録を自動生成するスマートイヤホン。

🎙️

AI搭載ボイスレコーダー Plaud

世界100万人が愛用。AIで文字起こし・要約を自動化するボイスレコーダー。

🖼️

画像高画質化AIツール Aiarty Image Enhancer

AIで画像を高画質化。写真・イラストを簡単にアップスケール。