CVE-2026-1839 — MEDIUM (CVSS 6.5)

CISO Take

The HuggingFace Transformers `Trainer` class executes arbitrary code when loading checkpoint RNG state files because `torch.load()` is called without the `weights_only=True` guard, falling back to Python's unsafe pickle deserialization. HuggingFace Transformers is among the most widely deployed ML libraries globally — virtually every team running fine-tuning or distributed training with PyTorch < 2.6 is exposed, and the attack surface includes shared checkpoint storage, model registries, and collaborative training environments where a malicious `rng_state.pth` can be quietly substituted. There is no EPSS score or CISA KEV entry yet, but the exploit primitive (pickle deserialization RCE) is trivially weaponizable by anyone with access to the checkpoint path, and proof-of-concept techniques for this class of vulnerability are publicly documented. Patch to v5.0.0rc3 immediately; as a workaround, pin PyTorch to >= 2.6 where `safe_globals()` provides protection, audit checkpoint storage permissions, and scan for unexpected `.pth` files in training directories.

Sources: NVD ATLAS GitHub Advisory

What is the risk?

High practical risk despite absent CVSS score. The attack vector (deserialization of untrusted pickle data via `torch.load()`) is a well-understood exploit class with public tooling. Exploitation requires only write access to the checkpoint directory used by a training job — achievable via compromised storage credentials, supply chain substitution, or insider threat. Impact is full RCE in the training environment, which typically runs with elevated privileges on GPU infrastructure and has access to model weights, training data, and cloud credentials. The absence of KEV listing and public PoC slightly tempers urgency, but the ubiquity of HuggingFace Transformers in production ML pipelines makes this a high-priority patch.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	< 5.0.0rc3	`5.0.0rc3`
160.7K OpenSSF 4.7 8.0K dependents Pushed 5d ago 40% patched ~96d to patch Full package profile →

Do you use transformers? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC High

PR None

UI Required

S Unchanged

C High

I Low

A High

What should I do?

5 steps

Patch

Upgrade to transformers >= v5.0.0rc3 which resolves the unsafe torch.load() call. If upgrading is not immediately feasible, pin PyTorch to >= 2.6 where safe_globals() context manager provides protection.
Workaround

Override or monkey-patch _load_rng_state() in trainer.py:3059 to add weights_only=True pending the upgrade.
Audit

Scan checkpoint directories for unexpected or recently modified .pth files; verify file hashes against known-good checkpoints before resuming training.
Access control

Enforce least-privilege on checkpoint storage — training jobs should write to isolated paths, not shared directories; rotate any credentials accessible from training environments as a precaution.
Detection

Alert on torch.load() calls without weights_only=True in code review gates (semgrep rule: torch.load without weights_only parameter); monitor for unexpected process spawning from training jobs.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system supply chain management

NIST AI RMF

MANAGE 3.2 - Treatment of identified AI risks MEASURE 2.5 - AI risks and benefits are evaluated for external dependencies

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-1839?

The HuggingFace Transformers `Trainer` class executes arbitrary code when loading checkpoint RNG state files because `torch.load()` is called without the `weights_only=True` guard, falling back to Python's unsafe pickle deserialization. HuggingFace Transformers is among the most widely deployed ML libraries globally — virtually every team running fine-tuning or distributed training with PyTorch < 2.6 is exposed, and the attack surface includes shared checkpoint storage, model registries, and collaborative training environments where a malicious `rng_state.pth` can be quietly substituted. There is no EPSS score or CISA KEV entry yet, but the exploit primitive (pickle deserialization RCE) is trivially weaponizable by anyone with access to the checkpoint path, and proof-of-concept techniques for this class of vulnerability are publicly documented. Patch to v5.0.0rc3 immediately; as a workaround, pin PyTorch to >= 2.6 where `safe_globals()` provides protection, audit checkpoint storage permissions, and scan for unexpected `.pth` files in training directories.

Is CVE-2026-1839 actively exploited?

No confirmed active exploitation of CVE-2026-1839 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1839?

1. **Patch**: Upgrade to `transformers >= v5.0.0rc3` which resolves the unsafe `torch.load()` call. If upgrading is not immediately feasible, pin PyTorch to >= 2.6 where `safe_globals()` context manager provides protection. 2. **Workaround**: Override or monkey-patch `_load_rng_state()` in `trainer.py:3059` to add `weights_only=True` pending the upgrade. 3. **Audit**: Scan checkpoint directories for unexpected or recently modified `.pth` files; verify file hashes against known-good checkpoints before resuming training. 4. **Access control**: Enforce least-privilege on checkpoint storage — training jobs should write to isolated paths, not shared directories; rotate any credentials accessible from training environments as a precaution. 5. **Detection**: Alert on `torch.load()` calls without `weights_only=True` in code review gates (semgrep rule: `torch.load` without `weights_only` parameter); monitor for unexpected process spawning from training jobs.

What systems are affected by CVE-2026-1839?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, fine-tuning workflows, MLOps checkpoint/resume pipelines.

What is the CVSS score for CVE-2026-1839?

CVE-2026-1839 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

Exploitation Scenario

An adversary with write access to a shared model checkpoint bucket (S3, GCS, NFS) — obtained via compromised CI/CD credentials or insider access — replaces a legitimate `rng_state.pth` checkpoint file with a pickle-serialized payload that spawns a reverse shell or exfiltrates environment variables. When a data scientist or automated training pipeline resumes a long-running fine-tuning job (e.g., LLaMA fine-tune that runs for days), the `Trainer._load_rng_state()` method silently loads the malicious file via `torch.load()`, executing the attacker's code in the training process. From this foothold, the attacker extracts Hugging Face Hub tokens, AWS instance metadata credentials, W&B API keys, or the model weights themselves — all typically available as environment variables or config files in the training environment.