Skip to main content

Huggingface Transformers CVE-2026-1839

| EUVD-2026-19573 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-07 @huntr_ai GHSA-69w3-r845-3855
RCE Deserialization Huggingface Transformers
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 28, 2026 - 16:52 vuln.today
cvss_changed
Severity Changed
Apr 28, 2026 - 16:52 NVD
MEDIUM HIGH
CVSS changed
Apr 28, 2026 - 16:52 NVD
6.5 (MEDIUM) 7.8 (HIGH)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 05:30 euvd
EUVD-2026-19573
Analysis Generated
Apr 07, 2026 - 05:30 vuln.today
CVE Published
Apr 07, 2026 - 05:22 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 22 pypi packages depend on transformers (18 direct, 4 indirect)

Ecosystem-wide dependent count for version 5.0.0rc3.

DescriptionCVE.org

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The _load_rng_state() method in src/transformers/trainer.py at line 3059 calls torch.load() without the weights_only=True parameter. This issue affects all versions of the library supporting torch>=2.2 when used with PyTorch versions below 2.6, as the safe_globals() context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as rng_state.pth, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

AnalysisAI

Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The _load_rng_state() method in the Trainer class calls torch.load() without the weights_only=True parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS score of 6.5 reflects medium severity with a local attack vector (AV:L), requiring user interaction (UI:R) and high attack complexity (AC:H), but delivering high confidentiality (C:H) and availability (A:H) impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A researcher collaborating on a machine learning project shares a checkpoint file containing a malicious `rng_state.pth` through a shared repository or file transfer service. When another team member resumes training using the Trainer class with PyTorch <2.6, the vulnerable `_load_rng_state()` method deserializes the checkpoint file, executing embedded arbitrary code with the permissions of the training process (potentially gaining access to training data, model weights, or system resources). …
Remediation Upgrade HuggingFace Transformers to version v5.0.0rc3 or later, which addresses the unsafe deserialization by ensuring `weights_only=True` is specified in `torch.load()` calls. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-1839 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy