OpenMed: RCE via trust_remote_code model loading — CRITICAL (CVE-2026-47117)

CISO Take

OpenMed before v1.5.2 exposes a critical unauthenticated RCE (CVSS 9.8) in its PII privacy-filter dispatcher: user-supplied model_name values undergo only broad substring matching, meaning a repository named attacker/foo-privacy-filter-bar is routed to a code path that loads it from Hugging Face with trust_remote_code=True, executing any Python code embedded via auto_map in config.json or tokenizer_config.json under the OpenMed service account privileges — no credentials, no user interaction required. Healthcare and life-sciences organizations using OpenMed to process PHI should treat this as emergency-priority: the exploit is technically trivial, requiring only a free Hugging Face account and one crafted HTTP request, and the attack surface is any network-reachable OpenMed instance. Patch immediately to v1.5.2; if patching cannot happen within hours, block the privacy-filter endpoint at the perimeter and restrict outbound HTTPS to huggingface.co from production servers as a stopgap.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Maximal exploitability profile: CVSS 9.8, AV:N/AC:L/PR:N/UI:N with full CIA impact. The trust_remote_code=True attack class via Hugging Face is well-documented and tooling exists to craft malicious repositories quickly — barrier to entry is a free account and Python knowledge. OpenMed operates in healthcare contexts where the service process frequently has access to PHI datastores, internal clinical networks, and adjacent systems (EHR, PACS), dramatically amplifying blast radius beyond the immediate host. No KEV listing yet, but given trivial exploit complexity and high-value healthcare targets, weaponization is expected within days of public disclosure.

Attack Kill Chain

Malicious Model Preparation

Attacker creates a Hugging Face repository with a name containing the substring 'privacy-filter' and embeds malicious Python code via auto_map directives in config.json or tokenizer_config.json.

AML.T0058

Initial Access via Crafted Request

Attacker sends a single unauthenticated HTTP request to the OpenMed privacy-filter endpoint with model_name set to the crafted repository name, bypassing input validation through OpenMed's broad substring matching logic.

AML.T0049

Arbitrary Code Execution

OpenMed routes the request to the trust_remote_code loader, which fetches the attacker-controlled repository from Hugging Face and imports the embedded malicious Python code with the privileges of the OpenMed service process.

AML.T0018.002

Impact and Post-Exploitation

Attacker achieves full RCE on the OpenMed host, enabling PHI exfiltration, credential theft, reverse shell establishment for persistent C2 access, and lateral movement to connected clinical systems.

AML.T0072

Malicious Model Preparation

Attacker creates a Hugging Face repository with a name containing the substring 'privacy-filter' and embeds malicious Python code via auto_map directives in config.json or tokenizer_config.json.

AML.T0058

Initial Access via Crafted Request

Attacker sends a single unauthenticated HTTP request to the OpenMed privacy-filter endpoint with model_name set to the crafted repository name, bypassing input validation through OpenMed's broad substring matching logic.

AML.T0049

Arbitrary Code Execution

OpenMed routes the request to the trust_remote_code loader, which fetches the attacker-controlled repository from Hugging Face and imports the embedded malicious Python code with the privileges of the OpenMed service process.

AML.T0018.002

Impact and Post-Exploitation

Attacker achieves full RCE on the OpenMed host, enabling PHI exfiltration, credential theft, reverse shell establishment for persistent C2 access, and lateral movement to connected clinical systems.

AML.T0072

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch to OpenMed >= 1.5.2 immediately.
Until patched: block or rate-limit the privacy-filter endpoint at WAF/load-balancer layer for all external sources.
Implement a server-side allowlist of approved model_name values; reject any value not matching an explicitly vetted list — substring matching on user input must never gate trust_remote_code loading.
Hunt for exploitation: inspect process trees for unexpected child processes spawned by the OpenMed service, audit outbound network connections to unfamiliar hosts, review model loading logs for non-standard or external model names.
Apply least-privilege to the OpenMed service account — it should not have filesystem or network access beyond its strict operational need.
Network-segment the OpenMed service to prevent lateral movement.
Block outbound HTTPS to huggingface.co from production clinical systems as defense-in-depth.

Classification

Code Execution Supply Chain Model Inference Framework AML.T0010.003 - Model AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models AML.T0072 - Reverse Shell AML.T0074 - Masquerading

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.1 - Security of AI systems A.6.2 - AI system risk management

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-47117?

OpenMed before v1.5.2 exposes a critical unauthenticated RCE (CVSS 9.8) in its PII privacy-filter dispatcher: user-supplied model_name values undergo only broad substring matching, meaning a repository named attacker/foo-privacy-filter-bar is routed to a code path that loads it from Hugging Face with trust_remote_code=True, executing any Python code embedded via auto_map in config.json or tokenizer_config.json under the OpenMed service account privileges — no credentials, no user interaction required. Healthcare and life-sciences organizations using OpenMed to process PHI should treat this as emergency-priority: the exploit is technically trivial, requiring only a free Hugging Face account and one crafted HTTP request, and the attack surface is any network-reachable OpenMed instance. Patch immediately to v1.5.2; if patching cannot happen within hours, block the privacy-filter endpoint at the perimeter and restrict outbound HTTPS to huggingface.co from production servers as a stopgap.

Is CVE-2026-47117 actively exploited?

No confirmed active exploitation of CVE-2026-47117 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47117?

1. Patch to OpenMed >= 1.5.2 immediately. 2. Until patched: block or rate-limit the privacy-filter endpoint at WAF/load-balancer layer for all external sources. 3. Implement a server-side allowlist of approved model_name values; reject any value not matching an explicitly vetted list — substring matching on user input must never gate trust_remote_code loading. 4. Hunt for exploitation: inspect process trees for unexpected child processes spawned by the OpenMed service, audit outbound network connections to unfamiliar hosts, review model loading logs for non-standard or external model names. 5. Apply least-privilege to the OpenMed service account — it should not have filesystem or network access beyond its strict operational need. 6. Network-segment the OpenMed service to prevent lateral movement. 7. Block outbound HTTPS to huggingface.co from production clinical systems as defense-in-depth.

What systems are affected by CVE-2026-47117?

This vulnerability affects the following AI/ML architecture patterns: Medical AI and clinical NLP pipelines, PII/PHI anonymization pipelines, Model serving with dynamic external model loading, Healthcare data processing pipelines.

What is the CVSS score for CVE-2026-47117?

CVE-2026-47117 has a CVSS v3.1 base score of 9.8 (CRITICAL).

AI Security Impact

Affected AI Architectures

Medical AI and clinical NLP pipelinesPII/PHI anonymization pipelinesModel serving with dynamic external model loadingHealthcare data processing pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

AML.T0058 Publish Poisoned Models

AML.T0072 Reverse Shell

AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.1, A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

Technical Details

Original Advisory

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied model_name parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path that loads Hugging Face models with trust_remote_code=True. An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json, which is imported and executed with the privileges of the OpenMed service process.

Exploitation Scenario

An attacker identifies a public-facing OpenMed instance via banner scanning or healthcare service registries. They create a free Hugging Face account and publish a repository named attacker/clinical-privacy-filter-loader containing a legitimate-looking config.json with an auto_map entry pointing to a custom Python class that downloads and executes a reverse shell payload. The attacker sends a single unauthenticated HTTP POST to the OpenMed privacy-filter endpoint with model_name=attacker/clinical-privacy-filter-loader. OpenMed's dispatcher finds 'privacy-filter' as a substring match and invokes the Hugging Face loader with trust_remote_code=True, fetching and importing the malicious class, establishing a reverse shell to attacker C2 infrastructure — all within seconds, leaving only routine Transformers import traces in application logs.