Skip to main content

Hugging Face Transformers CVE-2026-5241

| EUVD-2026-34084 CRITICAL
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-03 security@huntr.dev GHSA-fgcw-684q-jj6r
RCE Python Red Hat
9.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 04, 2026 - 19:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 19:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 19:07 vuln.today
cvss_changed
Severity Changed
Jun 04, 2026 - 19:07 NVD
HIGH CRITICAL
CVSS changed
Jun 04, 2026 - 19:07 NVD
8.0 (HIGH) 9.6 (CRITICAL)
Patch available
Jun 03, 2026 - 16:01 EUVD
Source Code Evidence Fetched
Jun 03, 2026 - 14:30 vuln.today
Analysis Generated
Jun 03, 2026 - 14:30 vuln.today

DescriptionNVD

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trust_remote_code parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using AutoModel.from_pretrained() with trust_remote_code=False, the LightGlueConfig reads the trust_remote_code value from the untrusted config.json file and propagates it into nested AutoConfig.from_pretrained() calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

AnalysisAI

Remote code execution in Hugging Face Transformers 5.2.0 allows a malicious model repository to bypass the user's explicit trust_remote_code=False safeguard when loading a LightGlue model via AutoModel.from_pretrained(). The LightGlueConfig deserializes the trust_remote_code flag from the untrusted config.json and propagates the attacker-controlled value into a nested AutoConfig.from_pretrained() call, enabling execution of arbitrary attacker-supplied Python during model initialization. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: audit deployments using Transformers 5.2.0, restrict untrusted model sources, and isolate affected systems if possible. Within 7 days: apply the patch available per vendor advisory to upgrade Transformers beyond 5.2.0. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-1784 HIGH
8.8 Jun 02

HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission
CVE-2026-5422 HIGH
8.1 Jun 02

Path traversal in Jupyter Server 2.17.0 allows authenticated users to read and write files in sibling directories outsid
CVE-2026-43958 HIGH
7.8 Jun 01

Stack-based buffer overflow in rrdcached (the caching daemon for rrdtool) allows a local attacker with socket access to

CVE-2026-10118 HIGH
7.8 Jun 01

Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacke
CVE-2026-10517 MEDIUM
5.8 Jun 01

Server-Side Request Forgery in Clair's fetcher component exposes internal network services and cloud metadata endpoints

Vendor StatusVendor

Share

CVE-2026-5241 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy