CVE-2026-44827

Name of the Vulnerable Software and Affected Versions Diffusers versions prior to 0.38.0

Description An issue exists in the DiffusionPipeline.from pretrained() flow when loading pipelines from Hugging Face Hub repositories. The resolve custom pipeline and cls() function in pipeline loading utils.py performs string interpolation on the custom pipeline parameter. When this parameter is not supplied, it defaults to None, which is interpolated as the literal string "None.py".

If a malicious repository contains a file named None.py with a class that subclasses DiffusionPipeline, this file is automatically downloaded and executed. This process bypasses the trust remote code safeguard because the security check in DiffusionPipeline.download() evaluates whether custom pipeline is not None; since the argument was never supplied, the check returns false and the safeguard is skipped. However, the subsequent loading path resolves the None value into the filename None.py, leading to silent remote code execution when a victim calls from pretrained() on the malicious repository.

Recommendations Update to version 0.38.0 or later. As a temporary workaround, only call from pretrained() using model names, custom pipelines, or local snapshot directories from fully trusted and audited sources. Before calling from pretrained() on a local snapshot, inspect the directory for unexpected *.py files, particularly at the root and within component subdirectories.