CVE Catalog

CVE-2026-54232

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile - higher than 20% of all known CVEs

Summary

vLLM, an inference and serving engine for large language models, is vulnerable to a dependency confusion attack in versions prior to 0.22.1. An attacker can register the flashinfer-jit-cache package on PyPI, allowing arbitrary code execution as root during the Docker build.

Risk Assessment

This vulnerability allows an attacker to access sensitive data, such as user prompts, API credentials, and model data, posing a significant threat to the security of production vLLM deployments.

Recommendation

It is recommended to upgrade to vLLM version 0.22.1 or later to mitigate this vulnerability and to block the installation of packages from untrusted sources.

Original NVD description (English source)

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the package name was not registered on PyPI, and UV_INDEX_STRATEGY="unsafe-best-match" is set globally. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build and backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments This vulnerability is fixed in 0.22.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS