A critical remote code execution vulnerability in OpenMed, tracked as CVE-2026-47117, allows attackers to achieve arbitrary code execution by manipulating the PII privacy-filter model loading path. The vulnerability carries a CVSS score of 9.8 and affects OpenMed versions prior to 1.5.2. An attacker can supply a specially crafted model name that routes through a path loading Hugging Face models with trust_remote_code enabled, resulting in remote code execution.
What Is the Vulnerability?
CVE-2026-47117 is a code injection vulnerability in the PII (Personally Identifiable Information) privacy-filter model loading component of OpenMed. The privacy-filter dispatcher uses broad substring matching on the user-supplied model_name parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a code path that loads Hugging Face models with the trust_remote_code flag set to True.
Hugging Face’s trust_remote_code feature allows models to include and execute arbitrary Python code as part of the model loading process — it is a deliberate feature designed for flexibility, but it is inherently dangerous when the model source is not fully trusted. By crafting a model name that passes the substring match but points to a malicious Hugging Face repository under the attacker’s control, the attacker can force OpenMed to download and execute arbitrary Python code from the attacker’s model repository. This is a pre-authentication, network-exploitable vulnerability: an attacker who can submit input to the privacy-filter functionality — such as a medical text processing request — can trigger the malicious model loading path.
OpenMed is used in healthcare and medical AI applications for processing clinical text, de-identifying patient data, and extracting medical concepts. A compromised instance could expose protected health information (PHI), manipulate medical data processing pipelines, or serve as a pivot point into healthcare infrastructure.
The vulnerability is classified under CWE-94 (Improper Control of Generation of Code — Code Injection):
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)
Which Versions Are Affected?
The vulnerability affects all versions of OpenMed prior to 1.5.2:
- OpenMed: all versions before 1.5.2
The fix was released in OpenMed version 1.5.2, which corrects the overly broad substring matching in the privacy-filter model loading path.
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed at the time of writing. However, the vulnerability was published on June 2, 2026 with full technical details available. The exploit methodology — registering a malicious Hugging Face model repository and supplying a crafted model name — is well-understood in the AI security community and has been demonstrated in similar vulnerabilities affecting other AI/ML frameworks. The CVSS 9.8 score reflects the ease of exploitation: unauthenticated, network-accessible, low complexity, no user interaction. Organisations running OpenMed in production should patch immediately — do not wait for confirmed exploitation reports.
What Is the Fix?
Update OpenMed to version 1.5.2 or later. The fix corrects the substring matching logic in the privacy-filter dispatcher to prevent routing to attacker-controlled model repositories with trust_remote_code enabled. If you are using OpenMed through a package manager or container image, update to the latest version. Verify the installed version after updating.
Recommendations
Update OpenMed to 1.5.2 immediately. CVSS 9.8 with unauthenticated remote code execution is an emergency-patch scenario. Every OpenMed instance — particularly those exposed to network input through APIs or web interfaces — should be updated today.
Audit OpenMed logs for suspicious model loading activity. After updating, review OpenMed application logs for model loading events involving unexpected model repository names — particularly model names containing patterns like privacy-filter embedded within longer repository paths. Any model loaded from a Hugging Face repository that your organisation does not explicitly use should be investigated.
Review your AI/ML model trust model. This vulnerability follows CVE-2026-45829 (ChromaDB, CVSS 10.0, also involving Hugging Face model loading with trust_remote_code). The pattern of AI/ML frameworks enabling trust_remote_code on user-influenced model loading paths is a recurring vulnerability class. Audit your AI/ML infrastructure for any other framework or tool that allows user-controlled model repository selection with trust_remote_code enabled. Where possible, restrict model loading to pre-approved, internally vetted repositories.
Implement network segmentation for AI/ML infrastructure. OpenMed instances processing sensitive medical data should not have unrestricted outbound internet access. Restrict egress traffic to only the repositories and endpoints required for legitimate model loading — this limits the attacker’s ability to direct the application to malicious repositories even if a similar vulnerability is discovered in the future.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.
