CVE-2026-54232: CWE-427: Uncontrolled Search Path Element in vllm-project vllm
vLLM versions prior to 0.22.1 are vulnerable to a dependency confusion attack in the Docker build process. The vulnerability arises because the Dockerfile installs the flashinfer-jit-cache package from a custom index without registering the package on PyPI, combined with a globally set unsafe index strategy. An attacker can register a malicious package with the same name on PyPI, leading to arbitrary code execution as root during the Docker build. This can backdoor container images and enable exfiltration of sensitive data such as user prompts, API credentials, and model data. The issue is fixed in version 0.22.1.
AI Analysis
Technical Summary
The vLLM Dockerfile prior to version 0.22.1 uses --extra-index-url to install the flashinfer-jit-cache package from a custom index but does not register this package on PyPI. With the global setting UV_INDEX_STRATEGY="unsafe-best-match", an attacker can publish a malicious flashinfer-jit-cache package on PyPI (version 0.6.11.post2) that will be preferred during installation. This leads to arbitrary code execution as root during the Docker build process, compromising all resulting container images. The vulnerability allows attackers to backdoor images and exfiltrate sensitive data from production deployments. The vulnerability is identified as CWE-427 (Uncontrolled Search Path Element) and has a CVSS 3.1 score of 8.8 (high severity). It is fixed in vLLM version 0.22.1.
Potential Impact
Successful exploitation results in arbitrary code execution as root during the Docker build, compromising container images. Attackers can backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments. This leads to full confidentiality, integrity, and availability impact on affected systems.
Mitigation Recommendations
Upgrade vLLM to version 0.22.1 or later, where this vulnerability is fixed. Until then, avoid building Docker images with versions prior to 0.22.1 or modify the Dockerfile and package installation process to prevent dependency confusion attacks. Patch status is confirmed fixed in 0.22.1.
CVE-2026-54232: CWE-427: Uncontrolled Search Path Element in vllm-project vllm
Description
vLLM versions prior to 0.22.1 are vulnerable to a dependency confusion attack in the Docker build process. The vulnerability arises because the Dockerfile installs the flashinfer-jit-cache package from a custom index without registering the package on PyPI, combined with a globally set unsafe index strategy. An attacker can register a malicious package with the same name on PyPI, leading to arbitrary code execution as root during the Docker build. This can backdoor container images and enable exfiltration of sensitive data such as user prompts, API credentials, and model data. The issue is fixed in version 0.22.1.
CVSS v3.1
Score 8.8high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vLLM Dockerfile prior to version 0.22.1 uses --extra-index-url to install the flashinfer-jit-cache package from a custom index but does not register this package on PyPI. With the global setting UV_INDEX_STRATEGY="unsafe-best-match", an attacker can publish a malicious flashinfer-jit-cache package on PyPI (version 0.6.11.post2) that will be preferred during installation. This leads to arbitrary code execution as root during the Docker build process, compromising all resulting container images. The vulnerability allows attackers to backdoor images and exfiltrate sensitive data from production deployments. The vulnerability is identified as CWE-427 (Uncontrolled Search Path Element) and has a CVSS 3.1 score of 8.8 (high severity). It is fixed in vLLM version 0.22.1.
Potential Impact
Successful exploitation results in arbitrary code execution as root during the Docker build, compromising container images. Attackers can backdoor every resulting container image, enabling exfiltration of all user prompts, API credentials, and model data from production vLLM deployments. This leads to full confidentiality, integrity, and availability impact on affected systems.
Mitigation Recommendations
Upgrade vLLM to version 0.22.1 or later, where this vulnerability is fixed. Until then, avoid building Docker images with versions prior to 0.22.1 or modify the Dockerfile and package installation process to prevent dependency confusion attacks. Patch status is confirmed fixed in 0.22.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T16:25:43.084Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39b9b1eed863c81e85ffa4
Added to database: 06/22/2026, 22:39:45 UTC
Last enriched: 06/22/2026, 22:54:05 UTC
Last updated: 06/22/2026, 22:54:05 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.