CVE-2026-44513: Diffusers trust_remote_code bypass

CISO Take

HuggingFace diffusers (versions < 0.38.0) contains a critical security gate bypass in DiffusionPipeline.from_pretrained where the trust_remote_code=False check is enforced inside download() rather than at the actual dynamic module load site — meaning any code path that skips download() silently executes untrusted remote Python with no warning to the developer. With 385 downstream package dependents and a CVSS 8.8 score, any team running diffusion model pipelines — image generation services, fine-tuning workflows, or MLOps automation — that loads custom pipelines from HuggingFace Hub is exposed; three distinct exploit variants exist covering cross-repo pipelines, local snapshots with Hub custom_pipeline references, and local snapshots with embedded custom component files, making this broadly exploitable across the full spectrum of diffusers usage patterns. No public exploit or CISA KEV entry yet, but all three variants require only developer-level interaction that is normal in AI/ML workflows, making this a realistic supply chain threat with trivial execution complexity. Patch immediately with pip install --upgrade 'diffusers>=0.38.0'; if patching is blocked, audit all from_pretrained calls for cross-repo custom_pipeline arguments and inspect local snapshot directories for unexpected *.py files in component subdirectories.

Sources: GitHub Advisory NVD ATLAS OpenSSF

What is the risk?

CVSS 8.8 (High) with AV:N/AC:L/PR:N/UI:R reflects a realistic, low-friction threat: the required user interaction is a routine developer action — loading a diffusion model — not a phishing click. The security control failure is entirely silent; developers passing trust_remote_code=False receive no warning, no exception, and no indication the check was ineffective. Three independently exploitable variants broaden the attack surface beyond the obvious Hub case to include fully offline environments using local snapshots. The 385 downstream dependents signal significant blast radius across the diffusion model ecosystem (Stable Diffusion, FLUX, ControlNet workflows). OpenSSF Scorecard of 5.7/10 indicates moderate supply chain hygiene in the package itself. No EPSS data yet and no known active exploitation, but the vulnerability class (CWE-94, code injection via security bypass) is well-understood and weaponizable by any attacker with a HuggingFace account.

How does the attack unfold?

Stage Malicious Payload

Adversary creates a HuggingFace Hub repository containing a pipeline.py with embedded malicious code — a reverse shell, credential harvester, or persistent implant — disguised as a legitimate custom diffusion pipeline.

AML.T0058

Trigger Vulnerable Load

Victim developer calls DiffusionPipeline.from_pretrained with custom_pipeline pointing to the attacker's repo (or loads a local snapshot containing attacker-planted *.py files), assuming trust_remote_code=False provides protection.

AML.T0011.000

Security Gate Bypass

Diffusers' trust_remote_code check in download() is short-circuited by the cross-repo or local-path code path; get_cached_module_file loads the attacker's module without invoking the trust gate, with no exception or warning raised.

AML.T0010.001

Silent RCE

Adversary's pipeline.py executes at import time with the privileges of the developer's process or CI runner, achieving full code execution on the victim machine or build infrastructure with no indication of compromise.

AML.T0112

Stage Malicious Payload

Adversary creates a HuggingFace Hub repository containing a pipeline.py with embedded malicious code — a reverse shell, credential harvester, or persistent implant — disguised as a legitimate custom diffusion pipeline.

AML.T0058

Trigger Vulnerable Load

Victim developer calls DiffusionPipeline.from_pretrained with custom_pipeline pointing to the attacker's repo (or loads a local snapshot containing attacker-planted *.py files), assuming trust_remote_code=False provides protection.

AML.T0011.000

Security Gate Bypass

Diffusers' trust_remote_code check in download() is short-circuited by the cross-repo or local-path code path; get_cached_module_file loads the attacker's module without invoking the trust gate, with no exception or warning raised.

AML.T0010.001

Silent RCE

Adversary's pipeline.py executes at import time with the privileges of the developer's process or CI runner, achieving full code execution on the victim machine or build infrastructure with no indication of compromise.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Diffusers	pip	< 0.38.0	`0.38.0`
33.9K OpenSSF 4.3 407 dependents Pushed 4d ago 100% patched ~0d to patch Full package profile →

Do you use Diffusers? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 48% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: pip install --upgrade 'diffusers>=0.38.0' — this is the only complete remediation.
Audit all from_pretrained calls: grep the codebase for DiffusionPipeline.from_pretrained and StableDiffusionPipeline.from_pretrained, flag any custom_pipeline= arguments pointing to Hub repos different from the primary model.
Inspect cached snapshots: before loading any local snapshot, scan for unexpected *.py files in component subdirectories (unet/, scheduler/, text_encoder/, vae/, controlnet/) and the snapshot root — any *.py that is not an __init__.py should be treated as suspect.
Lock model sources in CI/CD: enforce an allowlist of approved Hub org prefixes; block PRs that introduce new cross-repo custom_pipeline references without security review.
Runtime detection: monitor Python process spawns and unexpected network connections originating from model loading code paths — these are strong indicators of exploitation.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0021 - Establish Accounts AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1 - AI supply chain management

NIST AI RMF

GOVERN 1.1 - Organizational AI risk policies MANAGE 2.2 - AI risk treatment and response

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-44513?

HuggingFace diffusers (versions < 0.38.0) contains a critical security gate bypass in DiffusionPipeline.from_pretrained where the trust_remote_code=False check is enforced inside download() rather than at the actual dynamic module load site — meaning any code path that skips download() silently executes untrusted remote Python with no warning to the developer. With 385 downstream package dependents and a CVSS 8.8 score, any team running diffusion model pipelines — image generation services, fine-tuning workflows, or MLOps automation — that loads custom pipelines from HuggingFace Hub is exposed; three distinct exploit variants exist covering cross-repo pipelines, local snapshots with Hub custom_pipeline references, and local snapshots with embedded custom component files, making this broadly exploitable across the full spectrum of diffusers usage patterns. No public exploit or CISA KEV entry yet, but all three variants require only developer-level interaction that is normal in AI/ML workflows, making this a realistic supply chain threat with trivial execution complexity. Patch immediately with pip install --upgrade 'diffusers>=0.38.0'; if patching is blocked, audit all from_pretrained calls for cross-repo custom_pipeline arguments and inspect local snapshot directories for unexpected *.py files in component subdirectories.

Is CVE-2026-44513 actively exploited?

No confirmed active exploitation of CVE-2026-44513 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44513?

1. Patch immediately: pip install --upgrade 'diffusers>=0.38.0' — this is the only complete remediation. 2. Audit all from_pretrained calls: grep the codebase for DiffusionPipeline.from_pretrained and StableDiffusionPipeline.from_pretrained, flag any custom_pipeline= arguments pointing to Hub repos different from the primary model. 3. Inspect cached snapshots: before loading any local snapshot, scan for unexpected *.py files in component subdirectories (unet/, scheduler/, text_encoder/, vae/, controlnet/) and the snapshot root — any *.py that is not an __init__.py should be treated as suspect. 4. Lock model sources in CI/CD: enforce an allowlist of approved Hub org prefixes; block PRs that introduce new cross-repo custom_pipeline references without security review. 5. Runtime detection: monitor Python process spawns and unexpected network connections originating from model loading code paths — these are strong indicators of exploitation.

What systems are affected by CVE-2026-44513?

This vulnerability affects the following AI/ML architecture patterns: image generation pipelines, model fine-tuning pipelines, model serving, training pipelines, CI/CD ML automation.

What is the CVSS score for CVE-2026-44513?

CVE-2026-44513 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.69%.

What is the AI security impact?

Affected AI Architectures

image generation pipelinesmodel fine-tuning pipelinesmodel servingtraining pipelinesCI/CD ML automation

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0021 Establish Accounts

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

### Impact A `trust_remote_code` bypass in `DiffusionPipeline.from_pretrained` allows arbitrary remote code execution despite the user passing `trust_remote_code=False` (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the `trust_remote_code` gate was implemented inside `DiffusionPipeline.download()` rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited `download()` also bypassed the security check: 1. **Cross-repo `custom_pipeline`.** `DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False)` — the gate evaluated against `repoA`'s file list rather than `repoB`'s, so `repoB`'s `pipeline.py` was loaded and executed. 2. **Local snapshot + Hub `custom_pipeline`.** `DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False)` — the local-path branch never invoked `download()`, so the gate was never reached and remote code from `repoB` executed. 3. **Local snapshot with custom components.** `DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False)` where the snapshot contains custom component files (e.g. `unet/my_unet_model.py`) referenced from `model_index.json` — same root cause; the local path skipped `download()` and custom component code executed. Silent remote code execution on the victim's machine. Anyone calling `DiffusionPipeline.from_pretrained` with custom pipelines is impacted. ### Patches Yes. Fixed in **diffusers 0.38.0** via [PR #13448](https://github.com/huggingface/diffusers/pull/13448). All users on versions `< 0.38.0` should upgrade: ```bash pip install --upgrade "diffusers>=0.38.0" ``` The fix moves the `trust_remote_code` gate out of `DiffusionPipeline.download()` and into `get_cached_module_file` in `src/diffusers/utils/dynamic_modules_utils.py`, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise `ValueError` instead of executing untrusted code. ### Workarounds If upgrading immediately is not possible: - Only call `from_pretrained` with `pretrained_model_name_or_path`, `custom_pipeline`, and local snapshot directories from fully trusted sources that have been audited. - Do not pass `custom_pipeline=` pointing at a Hub repository different from the primary `pretrained_model_name_or_path` before reading its `pipeline.py`. - Before calling `from_pretrained` on a local snapshot, inspect the snapshot for unexpected `*.py` files, especially under component subdirectories (`unet/`, `scheduler/`, etc.) and at the snapshot root. These are mitigations, not fixes — the only complete remediation is upgrading to 0.38.0. ### Resources - **Fix:** https://github.com/huggingface/diffusers/pull/13448 - **Original issue:** https://github.com/huggingface/diffusers/issues/13446 - **Release notes:** https://github.com/huggingface/diffusers/releases/tag/v0.38.0 - **CWE-94:** https://cwe.mitre.org/data/definitions/94.html

Exploitation Scenario

An attacker registers a HuggingFace account and publishes a repository (e.g., attacker-org/fast-scheduler) containing a pipeline.py whose class constructor embeds a reverse shell or drops a persistent implant. They identify an open-source fine-tuning script with significant adoption — such as a community Stable Diffusion training template — and submit a PR adding custom_pipeline='attacker-org/fast-scheduler' to the from_pretrained call, framed as a 'performance optimization.' When a researcher or CI runner on an unpatched version executes the script, the trust_remote_code=False default provides no protection: diffusers downloads pipeline.py, bypasses the gate because the check evaluated against the primary repo rather than the custom_pipeline repo, and executes the attacker's code with full process privileges — silently compromising the developer's workstation or build server. In a more targeted variant, the attacker directly contacts ML engineers at a target organization offering a 'custom scheduler' for their image generation pipeline, achieving direct RCE on production infrastructure.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.