Main Vulnerability Database Vulnerabilities #VU134419

Insufficient verification of data authenticity in vLLM - CVE-2026-47155

Published: June 12, 2026

Vulnerability identifier: #VU134419

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-47155

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: vLLM

Affected software:
vLLM

Detailed vulnerability description

The vulnerability allows a remote attacker to cause pinned deployments to load unpinned code, weights, and processors.

The vulnerability exists due to insufficient verification of data authenticity in artifact revision pinning across model loaders and dynamic module resolution when resolving model-related artifacts from repositories. A remote attacker can modify or rely on mutable unpinned secondary artifacts to cause pinned deployments to load unpinned code, weights, and processors.

This affects supported loader paths where explicit model or code revision pins are not consistently propagated to secondary artifacts such as dynamic modules, GGUF files, image processors, and same-repository subfolder resources.

How to mitigate CVE-2026-47155

Install security update from vendor's website.

Insufficient verification of data authenticity in vLLM - CVE-2026-47155

Detailed vulnerability description

How to mitigate CVE-2026-47155

Sources

Please verify you're human