Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54232

CVE-2026-54232: Vllm Dependency Confusion RCE Vulnerability

CVE-2026-54232 is a dependency confusion RCE vulnerability in Vllm that allows attackers to execute arbitrary code during Docker builds and backdoor container images. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-54232 Overview

CVE-2026-54232 is a dependency confusion vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The vLLM Dockerfile references the flashinfer-jit-cache package from a custom index (flashinfer.ai/whl/) using --extra-index-url, while UV_INDEX_STRATEGY="unsafe-best-match" is set globally. The package name was never registered on PyPI. An attacker who registers flashinfer-jit-cache on PyPI with version 0.6.11.post2 can execute arbitrary code as root during the Docker build. The vulnerability is tracked under [CWE-427] and is fixed in version 0.22.1.

Critical Impact

Successful exploitation backdoors every resulting vLLM container image, enabling exfiltration of user prompts, API credentials, and model data from production deployments.

Affected Products

  • vLLM versions prior to 0.22.1
  • vLLM official Dockerfile build pipeline
  • Container images built from vulnerable vLLM sources

Discovery Timeline

  • 2026-06-22 - CVE-2026-54232 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-54232

Vulnerability Analysis

The vLLM Dockerfile installs flashinfer-jit-cache from a private index at flashinfer.ai/whl/ declared with --extra-index-url. The build environment also sets UV_INDEX_STRATEGY="unsafe-best-match", instructing uv to select the highest version found across all configured indexes rather than restricting resolution to the intended source. Because the package name was never claimed on PyPI, the public namespace remained available to any registrant.

An attacker who registers flashinfer-jit-cache on PyPI with a version higher than the legitimate release, such as 0.6.11.post2, causes uv to prefer the attacker-controlled artifact during Docker build. The malicious wheel executes arbitrary code as root inside the build context. Any container produced from the build inherits the attacker's payload.

Root Cause

The root cause is unsafe package index resolution combined with an unclaimed package name on the public PyPI registry. Setting UV_INDEX_STRATEGY="unsafe-best-match" removes the implicit trust boundary between the private and public indexes, allowing the public registry to override the intended source when version numbers differ.

Attack Vector

The attack is remote and requires only that a victim build a vulnerable vLLM container image. The attacker publishes a malicious flashinfer-jit-cache package to PyPI with a higher version string. During docker build, uv resolves the dependency to the attacker-controlled wheel and runs its install hooks as root. Persistence is achieved by embedding a backdoor into the resulting image, which then propagates to every downstream deployment.

No verified public exploit code is available. See the GitHub Security Advisory for additional technical detail.

Detection Methods for CVE-2026-54232

Indicators of Compromise

  • Build logs showing flashinfer-jit-cache resolved from pypi.org rather than flashinfer.ai/whl/
  • Installation of flashinfer-jit-cache version 0.6.11.post2 or any version not published on the official flashinfer.ai index
  • Unexpected outbound network connections from vLLM containers to unknown hosts during runtime or build
  • Unauthorized processes or files created in container layers immediately after pip install or uv pip install steps

Detection Strategies

  • Inspect Docker build logs for the resolved source URL of flashinfer-jit-cache and confirm it matches the vendor index
  • Scan existing container images for the presence of flashinfer-jit-cache wheels and verify the SHA against the official release
  • Audit CI/CD pipelines for the UV_INDEX_STRATEGY environment variable and flag any use of unsafe-best-match
  • Monitor PyPI for newly registered packages whose names match private dependencies used in internal builds

Monitoring Recommendations

  • Enable egress monitoring on container build hosts to detect data exfiltration during image construction
  • Generate and review Software Bill of Materials (SBOM) for every vLLM image and compare against a known-good baseline
  • Alert on container runtime behavior such as unexpected child processes, credential file reads, or external API calls

How to Mitigate CVE-2026-54232

Immediate Actions Required

  • Upgrade vLLM to version 0.22.1 or later before building any new container images
  • Rebuild and redeploy all vLLM container images previously built from vulnerable sources
  • Rotate any API credentials, model access tokens, and secrets that were present in environments running affected images
  • Audit logs of historical builds to determine whether the malicious PyPI version was ever resolved

Patch Information

The vLLM maintainers fixed this issue in version 0.22.1. The fix removes reliance on UV_INDEX_STRATEGY="unsafe-best-match" and ensures flashinfer-jit-cache resolves only from the trusted vendor index. Reference the GitHub Security Advisory GHSA-jrf6-vqxq-pjv2 for the official patch notes.

Workarounds

  • Remove UV_INDEX_STRATEGY="unsafe-best-match" from the Dockerfile and CI environment, restricting resolution to explicit indexes
  • Pin flashinfer-jit-cache to a specific version with a known hash using --require-hashes
  • Register the flashinfer-jit-cache namespace defensively or use an internal package proxy that blocks public PyPI for private names
  • Build vLLM images in network-isolated environments that only permit traffic to vetted package indexes
bash
# Configuration example: restrict uv to the trusted index only
unset UV_INDEX_STRATEGY
uv pip install \
  --index-url https://flashinfer.ai/whl/ \
  --no-index-url-fallback \
  flashinfer-jit-cache==<pinned-version>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.