Skip to main content

InstructLab EUVDEUVD-2026-24752

| CVE-2026-6859 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-22 redhat GHSA-rxpq-xgqx-fr7p
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:58 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:00 euvd
EUVD-2026-24752
Analysis Generated
Apr 22, 2026 - 14:00 vuln.today
CVE Published
Apr 22, 2026 - 13:04 nvd
HIGH 8.8

DescriptionNVD

A flaw was found in InstructLab. The linux_train.py script hardcodes trust_remote_code=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.

AnalysisAI

Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Host malicious model on HuggingFace Hub
Delivery
Social engineer target user via ML community channels
Exploit
User runs ilab download/train command
Install
InstructLab loads model with trust_remote_code=True
C2
Attacker's Python code executes with user privileges
Execute
Establish persistence and lateral movement
Impact
Exfiltrate credentials and sensitive AI training data

Vulnerability AssessmentAI

Exploitation Requires the following specific conditions: User must execute one of three InstructLab commands (ilab train, ilab download, or ilab generate) while specifying a HuggingFace model repository controlled by the attacker as the model source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH but exploitation requires social engineering. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a malicious large language model repository on HuggingFace Hub, embedding arbitrary Python code in the model's configuration files (e.g., a backdoored modeling.py or custom tokenizer). The attacker promotes this model through ML community channels, academic papers, or social media as a high-performance specialized model for a popular use case. …
Remediation Apply vendor-released patches from Red Hat for RHEL AI 3 per advisory at https://access.redhat.com/security/cve/CVE-2026-6859. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Red Hat Enterprise Linux AI 3 with InstructLab installed and restrict user access to ilab train, download, and generate commands. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2025-0868 CRITICAL POC
9.3 Feb 20

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2025-1550 CRITICAL POC
9.8 Mar 11

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker

Vendor StatusVendor

Share

EUVD-2026-24752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy