QSearchQSearch

CVE-2026-4372

7.8 HIGH

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0

Published: 2026-05-24 · Last updated: 2026-06-04

Severity and scoring

CVSS
7.8 HIGH
Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-1066, CWE-502

Affected products

VendorProduct
huggingfacetransformers

Description

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-5241 A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model reposit... (9.6 CRITICAL)
  • CVE-2026-44827 Diffusers is the a library for pretrained diffusion models (8.8 HIGH)
  • CVE-2026-44513 Diffusers is the a library for pretrained diffusion models (8.8 HIGH)

Same CWE

  • CVE-2026-20251 In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
  • CVE-2026-53435 In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
  • CVE-2026-52751 Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
  • CVE-2026-10721 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components
  • CVE-2026-11815 An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deseriali...