A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Transformers | pip | < 5.3.0 | 5.3.0 |
Do you use Transformers? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update Transformers to version 5.3.0
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-4372?
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Is CVE-2026-4372 actively exploited?
No confirmed active exploitation of CVE-2026-4372 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-4372?
Update to patched version: Transformers 5.3.0.
What is the CVSS score for CVE-2026-4372?
CVE-2026-4372 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.48%.
What are the technical details?
Original Advisory
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Weaknesses (CWE)
CWE-1066 Missing Serialization Control Element
Primary
CWE-502 Deserialization of Untrusted Data
Primary
CWE-1066 — Missing Serialization Control Element: The product contains a serializable data element that does not have an associated serialization method.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-26210 9.8 KTransformers: pickle RCE via unauthenticated ZMQ socket
Same package: transformers CVE-2026-47117 9.8 OpenMed: RCE via trust_remote_code model loading
Same package: transformers CVE-2024-3568 9.6 HuggingFace Transformers: RCE via pickle deserialization
Same package: transformers CVE-2026-5241 9.6 transformers: trust_remote_code bypass enables RCE via model load
Same package: transformers CVE-2024-11392 8.8 HuggingFace Transformers: RCE via config deserialization
Same package: transformers