PT-2026-38410 · Hugging Face · Diffusers

Vancir

·

Published

2026-05-07

·

Updated

2026-05-19

·

CVE-2026-44513

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Diffusers versions prior to 0.38.0
Description A bypass of the trust remote code security gate in the DiffusionPipeline.from pretrained() function allows arbitrary remote code execution, even when trust remote code is set to False or left as default. This occurs because the security check was implemented within the DiffusionPipeline.download() function rather than at the dynamic-module load site, allowing any code path that bypasses download() to execute untrusted code. This manifests in three scenarios: when a custom pipeline is loaded from a different repository than the primary model, when a local snapshot is used with a Hub-based custom pipeline, or when a local snapshot contains custom component files referenced in model index.json.
Recommendations Update to version 0.38.0. Only use pretrained model name or path, custom pipeline, and local snapshot directories from fully trusted and audited sources. Avoid using the custom pipeline parameter to point to a Hub repository different from the primary pretrained model name or path without first auditing the pipeline.py file. Inspect local snapshots for unexpected *.py files, particularly in the root and component subdirectories, before calling from pretrained().

Fix

RCE

Code Injection

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44513
GHSA-98H9-4798-4Q5V
PYSEC-2026-40

Affected Products

Diffusers