PT-2026-38410 · Hugging Face · Diffusers
Vancir
·
Published
2026-05-07
·
Updated
2026-05-19
·
CVE-2026-44513
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Diffusers versions prior to 0.38.0
Description
A bypass of the
trust remote code security gate in the DiffusionPipeline.from pretrained() function allows arbitrary remote code execution, even when trust remote code is set to False or left as default. This occurs because the security check was implemented within the DiffusionPipeline.download() function rather than at the dynamic-module load site, allowing any code path that bypasses download() to execute untrusted code. This manifests in three scenarios: when a custom pipeline is loaded from a different repository than the primary model, when a local snapshot is used with a Hub-based custom pipeline, or when a local snapshot contains custom component files referenced in model index.json.Recommendations
Update to version 0.38.0.
Only use
pretrained model name or path, custom pipeline, and local snapshot directories from fully trusted and audited sources.
Avoid using the custom pipeline parameter to point to a Hub repository different from the primary pretrained model name or path without first auditing the pipeline.py file.
Inspect local snapshots for unexpected *.py files, particularly in the root and component subdirectories, before calling from pretrained().Fix
RCE
Code Injection
Improperly Implemented Security Check for Standard
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Diffusers