{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47155", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-18T21:25:34.496Z", "datePublished": "2026-06-22T22:20:10.793Z", "dateUpdated": "2026-06-23T12:35:39.739Z"}, "containers": {"cna": {"title": "vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm"}, {"name": "https://github.com/vllm-project/vllm/pull/42616", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/42616"}, {"name": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6"}, {"name": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac", "tags": ["x_refsource_MISC"], "url": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": "< 0.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T22:20:10.793Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0."}], "source": {"advisory": "GHSA-3ww4-5jv9-j5gm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T12:34:39.566846Z", "id": "CVE-2026-47155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T12:35:39.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T12:34:39.566846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T12:35:33.893Z"}}], "cna": {"title": "vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors", "source": {"advisory": "GHSA-3ww4-5jv9-j5gm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"status": "affected", "version": "< 0.22.0"}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vllm-project/vllm/pull/42616", "name": "https://github.com/vllm-project/vllm/pull/42616", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6", "name": "https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6", "tags": ["x_refsource_MISC"]}, {"url": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac", "name": "https://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T22:20:10.793Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47155", "state": "PUBLISHED", "dateUpdated": "2026-06-23T12:35:39.739Z", "dateReserved": "2026-05-18T21:25:34.496Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T22:20:10.793Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "vllm: vLLM: Supply-chain integrity issue due to inconsistent revision pinning controls", "id": "2491580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491580"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-829", "details": ["vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.", "A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). The revision pinning controls in vLLM do not consistently apply to all artifacts loaded for a model. This allows a deployment configured with specific revisions to still load dynamic code or other configuration files from an unpinned or default revision. This issue can lead to a supply-chain integrity compromise, where operators may unknowingly serve models with unreviewed or unintended behavior."], "mitigation": {"lang": "en:us", "value": "Upgrade to a vLLM build containing the fix (>= 0.22.0) when available from Red Hat. Until then, only serve models from trusted registries, pin revisions explicitly, and review nested artifacts in model repositories before deployment."}, "name": "CVE-2026-47155", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-cpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-neuron-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-cpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-gaudi-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-neuron-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaii/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-llm-d-kv-cache-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-06-22T22:20:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47155\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47155\nhttps://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6\nhttps://github.com/vllm-project/vllm/pull/42616\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-3ww4-5jv9-j5gm\nhttps://huntr.com/bounties/3f1e24c0-87d2-4f6c-a705-820f380879ac"], "statement": "Red Hat rates this issue as having Moderate impact. The flaw is a supply-chain integrity issue when operators pin a HuggingFace model revision but vLLM may still load nested artifacts from an unpinned revision. It affects Red Hat AI Inference Server, Red Hat OpenShift AI, and Red Hat Enterprise Linux AI images that ship vLLM versions prior to 0.22.0. KServe control-plane components that bundle vLLM as a library are not affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.22.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vllm", "source": "cna", "vendor": "vllm-project"}, "product": "vllm", "vendor": "vllm-project"}], "created": "2026-06-22T23:30:05.606708+00:00", "updated": "2026-06-29T14:00:05.026306+00:00", "vendors": ["vllm-project", "vllm-project$PRODUCT$vllm"]}