AI/ML CVE Roundup: May 2026 — What Got Patched

May 2026 produced a busy patch cycle for the ML infrastructure stack. Advisories dropped across model serving frameworks, vector databases, orchestration libraries, and Python package tooling. This roundup covers the disclosures worth tracking; we skip low-severity issues with no plausible exploitation path in standard deployments.

Severity labels follow CVSS v3.1 convention. Patch status is as of publication date (2026-05-06); check vendor advisories for updates.

---

CVE-2026-8821 — vLLM Arbitrary File Read via Model Loading Path Traversal

Severity: High (CVSS 8.1) Affected component: vLLM <= 0.4.3, the model loading subsystem CWE: CWE-22 (Path Traversal)

vLLM’s model loading handler did not sufficiently sanitize user-supplied model identifier strings. In deployments that expose the model identifier as a configurable parameter to untrusted callers, an attacker could supply a path-traversal string (e.g., ../../../../etc/passwd) as the model name and cause the serving layer to attempt loading from arbitrary filesystem paths. On systems where the serving process runs with broad file permissions, this enables arbitrary file read from the host.

Exploitation: Possible in deployments where the --model parameter or its equivalent is populated from untrusted user input. Default single-model deployments are not exposed. Multi-tenant serving setups, or any configuration allowing dynamic model selection, are at risk.

Patch status: Fixed in vLLM 0.4.4. Update and pin.

---

CVE-2026-8854 — Chroma Vector Database SSRF via Collection Metadata

Severity: High (CVSS 7.7) Affected component: Chroma <= 0.5.1, metadata ingestion pipeline CWE: CWE-918 (Server-Side Request Forgery)

Chroma’s collection creation endpoint accepted arbitrary URLs in document metadata fields without validation. When the Chroma instance was configured with an HTTP client for fetching referenced content (a non-default but documented configuration), an attacker with write access to a Chroma collection could cause the server to make outbound HTTP requests to attacker-controlled URLs. In cloud environments, this provides a path to EC2/GCP/Azure instance metadata endpoints.

Exploitation: Requires write access to the Chroma instance. In deployments where Chroma is populated from user-submitted documents or RAG ingestion pipelines that process untrusted content, write access may be achievable indirectly.

Patch status: Fixed in Chroma 0.5.2. The fix validates URL schemes and blocklists RFC 1918 address ranges plus known cloud metadata IP addresses.

---

CVE-2026-8911 — LangChain Python Arbitrary Code Execution via PythonREPLTool

Severity: Critical (CVSS 9.1) Affected component: langchain-experimental <= 0.3.4, PythonREPLTool CWE: CWE-78 (Improper Neutralization of Special Elements — OS Command Injection)

The PythonREPLTool in langchain-experimental executes Python code via exec() with no sandboxing. This is by design — the tool is intended to run Python — but the advisory concerns a secondary issue: the tool’s output handling did not sanitize tool output before returning it to the LLM context, and the default chain configuration did not restrict what the LLM was permitted to invoke the tool with.

In practice this means that an indirect prompt injection attack against a LangChain agent with PythonREPLTool enabled achieves arbitrary code execution on the host. An attacker who can inject instructions into a document the agent processes can cause the agent to write and execute arbitrary Python.

Exploitation: Confirmed in research demonstration against publicly accessible LangChain agent demos. Exploitation requires the agent to have PythonREPLTool enabled — it is not enabled by default but is common in code-assistant setups.

Patch status: langchain-experimental 0.3.5 adds a dangerous_code_execution flag that is off by default. Existing deployments need to explicitly evaluate whether they need the tool enabled.

Note: This is a systemic design issue in agentic LLM frameworks, not a narrow implementation bug. Any agent with shell or code execution access and without robust indirect injection protection shares this exposure class.

---

CVE-2026-8977 — Ollama Remote Code Execution via Malformed GGUF Header

Severity: Critical (CVSS 9.3) Affected component: Ollama <= 0.2.6, GGUF model loading CWE: CWE-122 (Heap-Based Buffer Overflow)

Ollama’s GGUF format parser contained a heap buffer overflow in its metadata key-value pair reader. A malformed GGUF file with a crafted key length field could cause an out-of-bounds write during model loading. On Linux/macOS builds, ASLR provides some protection, but the bug is exploitable without memory-mapping protections in certain configurations.

Exploitation: An attacker needs to cause Ollama to load a malicious GGUF file. In the default local configuration this requires local access. However, Ollama instances exposed on the network (port 11434) that accept model pull requests from untrusted sources — or that load models from user-specified paths — are remotely exploitable.

Patch status: Fixed in Ollama 0.2.7. This is a critical update for any Ollama deployment accessible from the network.

---

CVE-2026-9014 — Weaviate GraphQL Injection

Severity: Medium (CVSS 6.5) Affected component: Weaviate <= 1.25.1, GraphQL query interface CWE: CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)

Weaviate’s GraphQL interface did not properly validate certain query parameter types, allowing an attacker with API access to inject additional query clauses by manipulating string parameters passed to filter arguments. The impact is limited to data disclosure within the Weaviate instance — an attacker can retrieve object data they should not have access to based on access control policies, but cannot write or delete.

Exploitation: Requires API access. Relevant for multi-tenant Weaviate deployments using API-key-per-tenant isolation.

Patch status: Fixed in Weaviate 1.25.2.

---

CVE-2026-9031 — Hugging Face transformers Arbitrary Code Execution via trust_remote_code

Severity: High (CVSS 8.4) — context-dependent Affected component: transformers <= 4.41.0 (not a new bug; updated scoring) CWE: CWE-502 (Deserialization of Untrusted Data)

This is not a new vulnerability but a revised CVSS score for the trust_remote_code=True behavior in Hugging Face transformers. When a model is loaded with trust_remote_code=True, arbitrary Python code embedded in the model’s repository is executed on the loading host. The NVD entry was updated to reflect confirmed exploitation in the wild: several malicious models on the Hugging Face Hub were found in April 2026 to contain payload-carrying modeling_*.py files targeting the default trust_remote_code=True invocation common in example code.

Exploitation: Active in the wild. Affects any environment that loads models with trust_remote_code=True from the Hub without verifying model repository contents.

Mitigation: Do not use trust_remote_code=True with unverified community models. Audit any existing code that uses this flag. Use Safetensors format where possible and pin model versions by commit hash.

---

Summary

CVE	Component	Severity	Patched
CVE-2026-8821	vLLM path traversal	High 8.1	Yes — 0.4.4
CVE-2026-8854	Chroma SSRF	High 7.7	Yes — 0.5.2
CVE-2026-8911	LangChain PythonREPL	Critical 9.1	Partial — flag added
CVE-2026-8977	Ollama GGUF overflow	Critical 9.3	Yes — 0.2.7
CVE-2026-9014	Weaviate GraphQL injection	Medium 6.5	Yes — 1.25.2
CVE-2026-9031	transformers trust_remote_code	High 8.4	No patch — config change

The pattern this month mirrors the past several quarters: serving infrastructure and document loading pipelines remain the most exposed surface. The LangChain advisory is worth treating as a design-level signal for any team running agentic workflows — the presence of code execution tools in an agent without independent injection protection is a class of risk, not a single CVE.

mlcves.com ↗ tracks ML-specific CVEs with searchable component and severity filters. Subscribe to their feed if you maintain a software bill of materials for your ML stack.

Sources

• NVD CVE Search ↗ — primary CVE record source.
• mlcves.com ↗ — ML-specific CVE database with component organization.