Hugging Face Transformers Remote Code Execution (CVE-2026-4372): Malicious Model Config Enables Arbitrary Code Execution

nick

Hugging Face Transformers Remote Code Execution (CVE-2026-4372): Malicious Model Config Enables Arbitrary Code Execution

by

A critical remote code execution vulnerability in the Hugging Face Transformers library, tracked as CVE-2026-4372, allows an attacker to execute arbitrary code by crafting a malicious config.json file that loads attacker-controlled code when a model is loaded. All versions of Transformers prior to 5.3.0 are affected. Transformers is the most widely used AI/ML library globally — with hundreds of millions of monthly downloads — making this one of the most broadly impactful AI supply chain vulnerabilities disclosed to date.

What Is the Vulnerability?

CVE-2026-4372 exists in the model loading mechanism of the Transformers library. An attacker can craft a config.json file — the standard model configuration file present in every Hugging Face model repository — containing the _attn_implementation_internal field set to an attacker-controlled Hugging Face Hub repository ID. When a victim loads a model using any standard Transformers API such as AutoModelForCausalLM.from_pretrained(), AutoModel.from_pretrained(), or pipeline(), the library follows the attacker’s configuration reference, fetches code from the specified repository, and executes it — achieving remote code execution in the context of the Python process loading the model.

The attack requires the victim to load a model from an untrusted source — a common workflow in AI/ML development. Developers routinely download community models from the Hugging Face Hub, load models shared by colleagues or research partners, use models from third-party repositories, or fine-tune public models. Any of these workflows can serve as the delivery mechanism for a malicious config.json. This is the third critical Hugging Face-related remote code execution vulnerability this month, following CVE-2026-45829 (ChromaDB, CVSS 10.0) and CVE-2026-47117 (OpenMed, CVSS 9.8) — all involving the pattern of user-influenced model loading paths with code execution capabilities.

  • CVSS v3.1 Score: 9.8 (Critical — estimated)
  • CWE: CWE-94 (Improper Control of Generation of Code — Code Injection)
  • Attack Vector: Network — victim loads a model from an attacker-controlled or compromised source
  • Affected: All Transformers versions before 5.3.0

Which Versions Are Affected?

  • Hugging Face Transformers: all versions prior to 5.3.0

Every installation of Transformers used for model inference, fine-tuning, training, or evaluation is affected. This includes Jupyter notebooks, model serving endpoints, training pipelines, inference services, and any Python application that calls from_pretrained() on a model from an external source.

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, the vulnerability was published on June 5, 2026 with the fix commit publicly available, making the vulnerability trivially reverse-engineerable. The pattern of AI/ML framework vulnerabilities being rapidly weaponised — particularly those involving Hugging Face model loading — is well established. Organisations should patch proactively.

What Is the Fix?

Update Transformers to version 5.3.0 or later:

pip install --upgrade transformers>=5.3.0

Verify with pip show transformers. The fix commit is: a7f8e7ff37d87d1a1a0c8cf607971c607741452f

Recommendations

Update Transformers to 5.3.0 immediately across all environments. This is the third critical Hugging Face-related RCE this month. Every AI/ML environment — development, training, inference, and production serving — must be updated.

Audit model loading paths. Identify all code paths where models are loaded from external sources. Ensure models are only loaded from trusted, internally vetted repositories. Consider maintaining an internal model registry with approved models rather than allowing direct downloads from the public Hugging Face Hub.

Review all AI/ML dependencies. The pattern of trust_remote_code-style vulnerabilities across ChromaDB, OpenMed, and now Transformers indicates a systemic issue in how AI/ML frameworks handle external code execution during model loading. Audit your AI/ML toolchain for any framework that loads models from external sources with code execution capabilities.

Rebuild container images. If Transformers is installed in Docker/container images used for model serving or training, rebuild and redeploy all images with the updated version.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 6, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!