AI Threat Alert AI Threat Alert

CVE-2026-1839: HuggingFace Transformers: RCE via malicious checkpoint load

UNKNOWN
Published April 7, 2026
CISO Take

The HuggingFace Transformers `Trainer` class executes arbitrary code when loading checkpoint RNG state files because `torch.load()` is called without the `weights_only=True` guard, falling back to Python's unsafe pickle deserialization. HuggingFace Transformers is among the most widely deployed ML libraries globally — virtually every team running fine-tuning or distributed training with PyTorch < 2.6 is exposed, and the attack surface includes shared checkpoint storage, model registries, and collaborative training environments where a malicious `rng_state.pth` can be quietly substituted. There is no EPSS score or CISA KEV entry yet, but the exploit primitive (pickle deserialization RCE) is trivially weaponizable by anyone with access to the checkpoint path, and proof-of-concept techniques for this class of vulnerability are publicly documented. Patch to v5.0.0rc3 immediately; as a workaround, pin PyTorch to >= 2.6 where `safe_globals()` provides protection, audit checkpoint storage permissions, and scan for unexpected `.pth` files in training directories.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

High practical risk despite absent CVSS score. The attack vector (deserialization of untrusted pickle data via `torch.load()`) is a well-understood exploit class with public tooling. Exploitation requires only write access to the checkpoint directory used by a training job — achievable via compromised storage credentials, supply chain substitution, or insider threat. Impact is full RCE in the training environment, which typically runs with elevated privileges on GPU infrastructure and has access to model weights, training data, and cloud credentials. The absence of KEV listing and public PoC slightly tempers urgency, but the ubiquity of HuggingFace Transformers in production ML pipelines makes this a high-priority patch.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. **Patch**: Upgrade to `transformers >= v5.0.0rc3` which resolves the unsafe `torch.load()` call. If upgrading is not immediately feasible, pin PyTorch to >= 2.6 where `safe_globals()` context manager provides protection. 2. **Workaround**: Override or monkey-patch `_load_rng_state()` in `trainer.py:3059` to add `weights_only=True` pending the upgrade. 3. **Audit**: Scan checkpoint directories for unexpected or recently modified `.pth` files; verify file hashes against known-good checkpoints before resuming training. 4. **Access control**: Enforce least-privilege on checkpoint storage — training jobs should write to isolated paths, not shared directories; rotate any credentials accessible from training environments as a precaution. 5. **Detection**: Alert on `torch.load()` calls without `weights_only=True` in code review gates (semgrep rule: `torch.load` without `weights_only` parameter); monitor for unexpected process spawning from training jobs.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0011.000 AML.T0018.002

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system supply chain management
NIST AI RMF
MANAGE 3.2 - Treatment of identified AI risks MEASURE 2.5 - AI risks and benefits are evaluated for external dependencies
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Technical Details

NVD Description

A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

Exploitation Scenario

An adversary with write access to a shared model checkpoint bucket (S3, GCS, NFS) — obtained via compromised CI/CD credentials or insider access — replaces a legitimate `rng_state.pth` checkpoint file with a pickle-serialized payload that spawns a reverse shell or exfiltrates environment variables. When a data scientist or automated training pipeline resumes a long-running fine-tuning job (e.g., LLaMA fine-tune that runs for days), the `Trainer._load_rng_state()` method silently loads the malicious file via `torch.load()`, executing the attacker's code in the training process. From this foothold, the attacker extracts Hugging Face Hub tokens, AWS instance metadata credentials, W&B API keys, or the model weights themselves — all typically available as environment variables or config files in the training environment.

Weaknesses (CWE)

CWE-502 Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Supply Chain
Back to Threat Feed