Skip to main content

HuggingFace Diffusers CVE-2026-44827

| EUVDEUVD-2026-30332 HIGH
Code Injection (CWE-94)
2026-05-14 GitHub_M GHSA-j7w6-vpvq-j3gm
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 14, 2026 - 18:32 EUVD
Source Code Evidence Fetched
May 14, 2026 - 17:32 vuln.today
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:33 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 pypi packages depend on diffusers (2 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.38.0.

DescriptionGitHub Advisory

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.

AnalysisAI

Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.

Technical ContextAI

The vulnerability exploits Python's string interpolation behavior in the _resolve_custom_pipeline_and_cls function within pipeline_loading_utils.py. When the custom_pipeline parameter is not supplied, Python's default None value undergoes string interpolation via f-string formatting (f'{custom_pipeline}.py'), producing the literal string 'None.py'. The trust_remote_code security check evaluates 'custom_pipeline is not None' as False when the parameter is absent from kwargs, but downstream module loading logic treats the interpolated 'None.py' as a valid filename target. This creates a logic bypass where the security gate checks for explicit None but the file resolution accepts implicit string 'None'. The vulnerability is a CWE-94 (Improper Control of Generation of Code) instance, specifically exploiting type coercion between NoneType and string representations in security-critical path validation. The affected component is the Diffusers library's pipeline loading mechanism from Hugging Face Hub, which uses huggingface_hub's snapshot_download functionality with allow_patterns filtering that inadvertently includes attacker-controlled filenames.

RemediationAI

Upgrade HuggingFace Diffusers to version 0.38.0 or later, which includes the fix from GitHub pull request #13448 and commit a37f6f8394ac2a7ee8360c3abea811efe54512b1. For Python environments managed via pip, execute 'pip install --upgrade diffusers>=0.38.0' and verify installation with 'pip show diffusers'. Organizations unable to immediately upgrade should implement compensating controls: restrict DiffusionPipeline.from_pretrained() calls to explicitly trusted repository sources through application-layer allowlists of Hub repository IDs, deploy network egress filtering to block unauthorized connections to huggingface.co from production ML inference environments (note: this breaks legitimate model downloads and requires pre-cached models), or enforce mandatory code review of all model_index.json configurations before loading with validation that _class_name references only standard pipeline classes and no None.py files exist in repository snapshots. These workarounds significantly impact operational workflows and model update agility. Additionally, audit existing cached model directories (typically ~/.cache/huggingface/hub/) for suspicious None.py files as indicators of potential prior exploitation. Consult the official advisory at https://github.com/huggingface/diffusers/security/advisories/GHSA-j7w6-vpvq-j3gm for vendor guidance.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy