PT-2026-42943 · Hugging Face · Transformers

Cyrilvallez

·

Published

2026-05-24

·

Updated

2026-07-04

·

CVE-2026-4372

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions HuggingFace transformers versions prior to 5.3.0
Description A critical remote code execution issue exists where an attacker can craft a malicious config.json file. By setting the attn implementation internal field to a repository ID controlled by the attacker, arbitrary Python code is downloaded and executed with full OS privileges when a victim uses the AutoModelForCausalLM.from pretrained() API. This occurs due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The issue bypasses the trust remote code security mechanism and is triggered when the optional kernels package is installed. Affected versions were downloaded approximately 232 million times while the issue was live, potentially exposing cloud credentials, API keys, source code, and proprietary datasets.
Recommendations Upgrade to version 5.3.0 or later. Audit previously downloaded model configurations. Sandbox untrusted AI models to minimize risk.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-4372
GHSA-29PF-2H5F-8G72
PYSEC-2026-2289

Affected Products

Transformers