What is the CVSS score of CVE-2026-4372?

CVE-2026-4372 has a CVSS 3.0 base score of 7.8 (High). CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of HuggingFace Transformers are affected by CVE-2026-4372?

HuggingFace Transformers prior to 5.3.0 enables remote code execution through a supply-chain attack targeting organizations whose ML and data science teams download models from HuggingFace Hub.. A patch is available.

How to fix or mitigate CVE-2026-4372?

Within 24 hours: Identify all systems running HuggingFace Transformers, especially ML pipelines and data science environments, and document current versions. Within 7 days: Upgrade all instances to HuggingFace Transformers version 5.3.0 or later. Within 30 days: Implement model whitelisting and approval policies for HuggingFace Hub downloads; review and audit models ingested within the past 30 days.

HuggingFace Transformers CVE-2026-4372

EUVD-2026-31598 HIGH

Missing Serialization Control Element (CWE-1066)

2026-05-24 @huntr_ai

GHSA-29pf-2h5f-8g72

Python Deserialization RCE Huggingface Transformers

7.8

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 09:33 vuln.today

Analysis Generated

Jun 08, 2026 - 09:33 vuln.today

Patch available

May 26, 2026 - 14:16 EUVD

DescriptionCVE.org

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the _attn_implementation_internal field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard AutoModelForCausalLM.from_pretrained() API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the trust_remote_code security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

AnalysisAI

Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the _attn_implementation_internal field to an attacker-controlled Hub repository. When the victim calls the standard AutoModelForCausalLM.from_pretrained() API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the trust_remote_code safety gate. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Publish malicious model to HuggingFace Hub

Delivery

Embed `_attn_implementation_internal` repo ID in config.json

Exploit

Victim calls `AutoModelForCausalLM.from_pretrained()`

Install

Library deserializes internal field via setattr

Kernel module fetched from attacker repo

Execute

Python code executes with user privileges

Impact

Credential theft or lateral movement

Recon

Publish malicious model to HuggingFace Hub

Delivery

Embed `_attn_implementation_internal` repo ID in config.json

Exploit

Victim calls `AutoModelForCausalLM.from_pretrained()`

Install

Library deserializes internal field via setattr

Kernel module fetched from attacker repo

Execute

Python code executes with user privileges

Impact

Credential theft or lateral movement

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the victim invoke a `from_pretrained()`-style loader (e.g., `AutoModelForCausalLM.from_pretrained`) on a model whose config.json the attacker controls - either by publishing it under an attacker-owned Hugging Face Hub repo and inducing the victim to load that repo ID, or by supplying a malicious config.json via a local model directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals conflict and need to be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker publishes a benign-looking model to the Hugging Face Hub (or convinces a victim to download a model archive) whose config.json contains `"_attn_implementation_internal": "attacker/payload-kernel"`. When a data scientist or CI pipeline runs `AutoModelForCausalLM.from_pretrained("attacker/looks-legit-model")` - even with `trust_remote_code=False` - Transformers silently fetches and executes the attacker's kernel Python module, yielding code execution with the victim user's OS privileges (e.g., access to cloud credentials, training datasets, or lateral movement from a GPU build server). …
Remediation	Vendor-released patch: upgrade `transformers` to version 5.3.0 or later (`pip install --upgrade 'transformers>=5.3.0'`), which both blocks deserialization of `_attn_implementation_internal` and `_experts_implementation_internal` from hub configs and restricts kernel loading to the `kernels-community` namespace (commit a7f8e7ff37d87d1a1a0c8cf607971c607741452f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running HuggingFace Transformers, especially ML pipelines and data science environments, and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2026-4372 vulnerability details – vuln.today

Back

HuggingFace Transformers CVE-2026-4372

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code