CVE-2026-44513

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact

A trust remote code bypass in DiffusionPipeline.from pretrained allows arbitrary remote code execution despite the user passing trust remote code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust remote code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check:

Cross-repo custom pipeline. DiffusionPipeline.from pretrained('repoA', custom pipeline='attacker/repoB', trust remote code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed.
Local snapshot + Hub custom pipeline. DiffusionPipeline.from pretrained('/local/snapshot', custom pipeline='attacker/repoB', trust remote code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed.
Local snapshot with custom components. DiffusionPipeline.from pretrained('/local/snapshot', trust remote code=False) where the snapshot contains custom component files (e.g. unet/my unet model.py) referenced from model index.json — same root cause; the local path skipped download() and custom component code executed.

Silent remote code execution on the victim's machine. Anyone calling DiffusionPipeline.from pretrained with custom pipelines is impacted.

Patches

Yes. Fixed in diffusers 0.38.0 via PR #13448. All users on versions < 0.38.0 should upgrade:

pip install --upgrade "diffusers>=0.38.0"

The fix moves the trust remote code gate out of DiffusionPipeline.download() and into get cached module file in src/diffusers/utils/dynamic modules utils.py, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise ValueError instead of executing untrusted code.

Workarounds

If upgrading immediately is not possible:

Only call from pretrained with pretrained model name or path, custom pipeline, and local snapshot directories from fully trusted sources that have been audited.
Do not pass custom pipeline= pointing at a Hub repository different from the primary pretrained model name or path before reading its pipeline.py.
Before calling from pretrained on a local snapshot, inspect the snapshot for unexpected *.py files, especially under component subdirectories (unet/, scheduler/, etc.) and at the snapshot root.

These are mitigations, not fixes — the only complete remediation is upgrading to 0.38.0.

Resources

Fix: https://github.com/huggingface/diffusers/pull/13448
Original issue: https://github.com/huggingface/diffusers/issues/13446
Release notes: https://github.com/huggingface/diffusers/releases/tag/v0.38.0
CWE-94: https://cwe.mitre.org/data/definitions/94.html

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2026-44513

GHSA-98H9-4798-4Q5V

Affected Products

Diffusers

CVE-2026-44513

Impact

Patches

Workarounds

Resources

Weakness Enumeration

Related Identifiers

Affected Products

References · 7