Skip to main content

Hugging Face diffusers CVE-2026-44513

| EUVDEUVD-2026-30334 HIGH
Code Injection (CWE-94)
2026-05-07 https://github.com/huggingface/diffusers GHSA-98h9-4798-4q5v
8.8
CVSS 3.1 · Vendor: https://github.com/huggingface/diffusers
Share

Severity by source

Vendor (https://github.com/huggingface/diffusers) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/huggingface/diffusers).

CVSS VectorVendor: https://github.com/huggingface/diffusers

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 06:01 vuln.today
Analysis Generated
May 07, 2026 - 06:01 vuln.today
CVE Published
May 07, 2026 - 05:31 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 pypi packages depend on diffusers (2 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.38.0.

DescriptionCVE.org

Impact

A trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause - the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check:

  1. Cross-repo custom_pipeline. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) - the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed.
  2. Local snapshot + Hub custom_pipeline. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) - the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed.
  3. Local snapshot with custom components. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json - same root cause; the local path skipped download() and custom component code executed.

Silent remote code execution on the victim's machine. Anyone calling DiffusionPipeline.from_pretrained with custom pipelines is impacted.

Patches

Yes. Fixed in diffusers 0.38.0 via PR #13448. All users on versions < 0.38.0 should upgrade:

bash
pip install --upgrade "diffusers>=0.38.0"

The fix moves the trust_remote_code gate out of DiffusionPipeline.download() and into get_cached_module_file in src/diffusers/utils/dynamic_modules_utils.py, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise ValueError instead of executing untrusted code.

Workarounds

If upgrading immediately is not possible:

  • Only call from_pretrained with pretrained_model_name_or_path, custom_pipeline, and local snapshot directories from fully trusted sources that have been audited.
  • Do not pass custom_pipeline= pointing at a Hub repository different from the primary pretrained_model_name_or_path before reading its pipeline.py.
  • Before calling from_pretrained on a local snapshot, inspect the snapshot for unexpected *.py files, especially under component subdirectories (unet/, scheduler/, etc.) and at the snapshot root.

These are mitigations, not fixes - the only complete remediation is upgrading to 0.38.0.

Resources

  • Fix: https://github.com/huggingface/diffusers/pull/13448
  • Original issue: https://github.com/huggingface/diffusers/issues/13446
  • Release notes: https://github.com/huggingface/diffusers/releases/tag/v0.38.0
  • CWE-94: https://cwe.mitre.org/data/definitions/94.html

AnalysisAI

Remote code execution in Hugging Face diffusers library (all versions < 0.38.0) bypasses the trust_remote_code=False security gate when users load models via DiffusionPipeline.from_pretrained. Three distinct attack vectors exist: cross-repository custom_pipeline parameters, local snapshots combined with Hub custom_pipeline references, and local snapshots containing malicious custom component files. The vulnerability stems from implementing the trust_remote_code check in DiffusionPipeline.download() instead of at the actual dynamic module load point, allowing multiple code paths to skip the security control entirely. Vendor-released patch: diffusers 0.38.0 (confirmed by GitHub advisory GHSA-98h9-4798-4q5v and PR #13448). No public exploit identified at time of analysis; exploitation requires user interaction (loading a model from an attacker-controlled source).

Technical ContextAI

The diffusers library is Hugging Face's Python package for loading and running pretrained diffusion models (Stable Diffusion, DALL-E variants, etc.) from the Hugging Face Hub or local storage. The vulnerability exploits the library's dynamic module loading mechanism, which allows models to include custom Python code (pipeline.py, custom component scripts) that executes during model initialization. The trust_remote_code parameter was intended as a security gate to prevent arbitrary code execution from untrusted sources, following the pattern used in the transformers library. However, the implementation placed the check in DiffusionPipeline.download() rather than in get_cached_module_file() within src/diffusers/utils/dynamic_modules_utils.py, which is the universal chokepoint for all dynamic module imports. This architectural flaw (CWE-94: Improper Control of Generation of Code) meant that code paths bypassing download() - specifically, the local-path branch and cross-repository custom_pipeline resolution - never encountered the security check. The CPE pkg:pip/diffusers indicates this affects all Python environments with the pip-installed package. The fix in PR #13448 refactors the gate into get_cached_module_file and threads the trust_remote_code parameter through the entire call chain (from_pretrained → load_sub_model → get_class_obj_and_candidates → get_cached_module_file), ensuring enforcement regardless of code path.

RemediationAI

Upgrade to diffusers 0.38.0 or later using pip install --upgrade 'diffusers>=0.38.0' per the vendor advisory at https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v. The fix in PR #13448 (commit a37f6f8394ac2a7ee8360c3abea811efe54512b1) relocates the trust_remote_code enforcement from DiffusionPipeline.download() into get_cached_module_file(), ensuring all three exploit variants now raise ValueError instead of executing untrusted code. If immediate upgrade is blocked by dependency constraints, apply these compensating controls: (1) Audit all custom_pipeline parameters in from_pretrained calls to ensure they point only to repositories you control or have manually code-reviewed - never pass user-supplied repository names. Trade-off: eliminates ability to dynamically load community pipelines. (2) Before loading any local model snapshot, recursively scan the directory for unexpected .py files, especially under component subdirectories (unet/, scheduler/, vae/, text_encoder/) and inspect model_index.json for custom class_name entries. Trade-off: manual, error-prone process that doesn't scale. (3) Run model loading in isolated containers or VMs with no network egress and minimal filesystem access, treating all from_pretrained calls as potentially hostile. Trade-off: significant operational overhead, breaks workflows requiring network access during model load. These mitigations reduce but do not eliminate risk - the vendor explicitly states 'These are mitigations, not fixes - the only complete remediation is upgrading to 0.38.0.'

Vendor StatusVendor

Share

CVE-2026-44513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy