Hugging Face Transformers contains critical remote code execution vulnerability

CSO Online reports a critical remote code execution vulnerability in Hugging Face's Transformers library that let an attacker-controlled model run arbitrary code during a routine load, bypassing the trust_remote_code=False safeguard. Tracked as CVE-2026-4372, the flaw was silently patched in Transformers 5.3.0 (released March 3) but affected every release since 4.56.0; CSO Online reports vulnerable versions were still downloaded 7 to 8 million times per week. The exploit adds a crafted parameter to a model's remote configuration so that simply loading it with from_pretrained() executes attacker code. Security trackers also document a separate RCE, CVE-2026-1839, in the library's Trainer class, where a malicious checkpoint reaches an unsafe torch.load() call; SentinelOne reports a fix in version 5.0.0rc3. Both stem from deserialization of untrusted data in a load path that teams invoke automatically at scale.
What happened
CSO Online reports a critical remote code execution vulnerability in Hugging Face's widely used Transformers library that allowed an attacker-controlled model to execute arbitrary code during a standard load, bypassing the trust_remote_code=False safeguard many teams rely on. Tracked as CVE-2026-4372, the flaw was silently patched in Transformers 5.3.0 (released March 3) but had been present in every release since 4.56.0. Per CSO Online, the exploit adds a crafted parameter to a model's remote configuration file so that calling from_pretrained() triggers code execution, and vulnerable versions were still being downloaded 7 to 8 million times per week.
Technical details
The root weakness is deserialization of untrusted data in the model-loading path: configuration or checkpoint metadata is parsed in a way that can execute attacker-supplied payloads during object reconstruction. Security trackers document a related RCE, CVE-2026-1839, in the library's Trainer class, where the _load_rng_state() routine calls torch.load() without weights_only=True, letting a malicious checkpoint run code; SentinelOne reports a fix in version 5.0.0rc3. The notable shift from earlier malicious-model attacks is that exploitation can occur silently during an ordinary load even when trust_remote_code is disabled.
Context and significance
Transformers is among the most widely used ML libraries, so an RCE in a commonly invoked load path reaches a very large base of open-source and enterprise consumers. Environments that pull and instantiate third-party models automatically, such as model-evaluation pipelines and GPU inference services, are the most exposed, because a single crafted artifact can run code with access to local credentials and secrets.
What to watch
- •Upgrade Transformers to a patched release (5.3.0 or later) and identify any installs that ran vulnerable 4.56.0-5.2.x versions.
- •Treat model ingestion as a supply-chain touchpoint: pin versions, isolate model loading from secret-bearing environments, and prefer safetensors over pickle-based formats.
- •Track the NVD and OpenCVE entries for CVE-2026-4372 and CVE-2026-1839 for revised severity and affected-version data.
Key Points
- 1A Hugging Face Transformers RCE (CVE-2026-4372) let crafted models run code during a routine load, bypassing trust_remote_code=False; patched in 5.3.0, per CSO Online.
- 2The flaw sat in every release since 4.56.0, with vulnerable versions still downloaded 7-8 million times per week, exposing automated model-loading pipelines to silent compromise.
- 3Deserialization of untrusted model data is the recurring weakness; pin versions, isolate model loading from secrets, and prefer safetensors over pickle formats.
Scoring Rationale
A critical remote code execution in the extremely widely used Transformers library represents a major supply-chain risk for ML platforms and practitioners. The bug's ability to run code during routine model loads and its wide exposure justify a high importance score.
Sources
Primary source and supporting public references used for this report.
View 6 more sources
- Hugging Face Transformers Security Flaw Allows Remote Code Executionitsecuritynews.info
- Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configscsoonline.com
- CVE-2025-14930 Detail - NVDnvd.nist.gov
- CVE-2026-1839: HuggingFace Transformers RCE Vulnerabilitysentinelone.com
- Transformers CVEs and Security Vulnerabilities - OpenCVEapp.opencve.io
- Huggingface Transformers Security Vulnerabilities in 2026stack.watch
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
