CVE-2026-47117

Name of the Vulnerable Software and Affected Versions OpenMed versions prior to 1.5.2

Description Remote code execution is possible in the PII privacy-filter model loading path. The privacy-filter dispatcher uses broad substring matching on the user-supplied model name parameter, which allows a value to route through a path that loads Hugging Face models with trust remote code=True. An unauthenticated attacker can provide a malicious model repository containing custom Transformers code via auto map in config.json or tokenizer config.json, which is then imported and executed with the privileges of the OpenMed service process.

Recommendations Update to version 1.5.2.