PT-2026-42943 · Hugging Face · Transformers
Cyrilvallez
·
Published
2026-05-24
·
Updated
2026-07-04
·
CVE-2026-4372
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
HuggingFace transformers versions prior to 5.3.0
Description
A critical remote code execution issue exists where an attacker can craft a malicious
config.json file. By setting the attn implementation internal field to a repository ID controlled by the attacker, arbitrary Python code is downloaded and executed with full OS privileges when a victim uses the AutoModelForCausalLM.from pretrained() API. This occurs due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The issue bypasses the trust remote code security mechanism and is triggered when the optional kernels package is installed. Affected versions were downloaded approximately 232 million times while the issue was live, potentially exposing cloud credentials, API keys, source code, and proprietary datasets.Recommendations
Upgrade to version 5.3.0 or later.
Audit previously downloaded model configurations.
Sandbox untrusted AI models to minimize risk.
Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Transformers