CVE-2026-4372

GHSA-29pf-2h5f-8g72 HIGH
Published May 26, 2026

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip < 5.3.0 5.3.0
162.0K OpenSSF 6.5 8.3K dependents Pushed 3d ago 42% patched ~87d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

Patch available

Update Transformers to version 5.3.0

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-4372?

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

Is CVE-2026-4372 actively exploited?

No confirmed active exploitation of CVE-2026-4372 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4372?

Update to patched version: Transformers 5.3.0.

What is the CVSS score for CVE-2026-4372?

CVE-2026-4372 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.48%.

What are the technical details?

Original Advisory

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

Weaknesses (CWE)

CWE-1066 — Missing Serialization Control Element: The product contains a serializable data element that does not have an associated serialization method.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Published
May 26, 2026
Last Modified
July 1, 2026
First Seen
July 1, 2026

Related Vulnerabilities