CVE-2026-27893 is a critical security vulnerability identified in the vllm-project's vllm software, an inference and serving engine for large language models (LLMs). The vulnerability arises because two model implementation files within versions 0.10.1 through 0.17.x hardcode the parameter trust_remote_code=True when loading sub-components of models. This hardcoding bypasses the user's explicit security setting --trust-remote-code=False, which is intended to prevent execution of untrusted remote code. As a result, even if users opt out of trusting remote code, the software will still execute potentially malicious code embedded in model repositories. This leads to remote code execution (RCE) vulnerabilities, enabling attackers to run arbitrary code on the host system. The vulnerability is classified under CWE-693 (Protection Mechanism Failure), indicating a failure in enforcing security controls as designed. The CVSS v3.1 score is 8.8 (high severity), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet, but the risk is significant given the widespread adoption of LLM inference engines. The issue is resolved in vllm version 0.18.0, which removes the hardcoded trust_remote_code parameter, restoring user control over remote code execution policies. This vulnerability highlights the critical need for strict enforcement of user-configured security options in AI model serving frameworks, especially as they increasingly integrate third-party or remote model components.

The impact of CVE-2026-27893 is substantial for organizations deploying the vulnerable versions of vllm. Successful exploitation allows attackers to execute arbitrary code remotely on the inference server, potentially leading to full system compromise. This jeopardizes confidentiality by exposing sensitive data processed by the LLM, integrity by allowing manipulation of model outputs or system files, and availability by enabling denial-of-service or destructive actions. Since vllm is used to serve large language models, attackers could leverage this to inject malicious payloads, pivot within networks, or disrupt AI-driven services. The vulnerability circumvents explicit user security settings, increasing the risk of unnoticed exploitation. Organizations relying on LLM inference for critical applications, including research, customer service, or automation, face operational disruption and reputational damage. The lack of authentication requirement and network accessibility further widen the attack surface. Although no exploits are currently known in the wild, the high CVSS score and ease of exploitation necessitate urgent remediation to prevent potential attacks.

To mitigate CVE-2026-27893, organizations should immediately upgrade vllm to version 0.18.0 or later, where the hardcoded trust_remote_code parameter is removed. Until upgrading is possible, users should avoid loading models from untrusted or unknown remote repositories. Implement strict validation and whitelisting of model sources to prevent malicious code injection. Employ network segmentation and firewall rules to restrict access to vllm inference servers, limiting exposure to untrusted networks. Monitor logs and system behavior for unusual activity indicative of exploitation attempts. Consider running vllm within isolated containers or sandboxed environments to contain potential compromises. Additionally, enforce strict user policies disallowing the use of the --trust-remote-code=True flag unless absolutely necessary and verified. Regularly audit configurations and update dependencies to ensure no residual vulnerable versions remain in production. Finally, maintain up-to-date threat intelligence to detect emerging exploits targeting this vulnerability.