What happened
Prior to vLLM 0.22.0, vLLM's --revision and --code-revision controls do not consistently apply to all artifacts loaded for a model. Deployments that supply these flags to pin model code can still load dynamic code, GGUF files, and image processors from unpinned sources. CVSS 6.5 Medium, published 2026-06-22.
Why it matters
Operators use --revision pinning as a security control to prevent loading of modified model code in production. This bypass defeats that control, allowing a malicious model update on HuggingFace Hub to slip past the pinning mechanism and execute untrusted code on the inference server — a supply-chain attack vector against secured vLLM deployments.
Attack vector
Malicious model artifacts (dynamic code, GGUF files, image processors) at unpinned paths are loaded even when --revision is specified, bypassing the intended security control
Affected systems
vLLM < 0.22.0
Mitigation
Upgrade to vLLM 0.22.0. Fix commit: https://github.com/vllm-project/vllm/commit/d26a28ab033697f55a1414b5b0435de7cd6045b6