CVE-2026-47117: OpenMed: RCE via trust_remote_code model loading
GHSA-m3v4-v5gx-7wf5 CRITICAL CISA: TRACK*OpenMed before v1.5.2 exposes a critical unauthenticated RCE (CVSS 9.8) in its PII privacy-filter dispatcher: user-supplied model_name values undergo only broad substring matching, meaning a repository named attacker/foo-privacy-filter-bar is routed to a code path that loads it from Hugging Face with trust_remote_code=True, executing any Python code embedded via auto_map in config.json or tokenizer_config.json under the OpenMed service account privileges — no credentials, no user interaction required. Healthcare and life-sciences organizations using OpenMed to process PHI should treat this as emergency-priority: the exploit is technically trivial, requiring only a free Hugging Face account and one crafted HTTP request, and the attack surface is any network-reachable OpenMed instance. Patch immediately to v1.5.2; if patching cannot happen within hours, block the privacy-filter endpoint at the perimeter and restrict outbound HTTPS to huggingface.co from production servers as a stopgap.
What is the risk?
Maximal exploitability profile: CVSS 9.8, AV:N/AC:L/PR:N/UI:N with full CIA impact. The trust_remote_code=True attack class via Hugging Face is well-documented and tooling exists to craft malicious repositories quickly — barrier to entry is a free account and Python knowledge. OpenMed operates in healthcare contexts where the service process frequently has access to PHI datastores, internal clinical networks, and adjacent systems (EHR, PACS), dramatically amplifying blast radius beyond the immediate host. No KEV listing yet, but given trivial exploit complexity and high-value healthcare targets, weaponization is expected within days of public disclosure.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Transformers | pip | < 1.5.2 | 1.5.2 |
Do you use Transformers? You're affected.
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Patch to OpenMed >= 1.5.2 immediately.
-
Until patched: block or rate-limit the privacy-filter endpoint at WAF/load-balancer layer for all external sources.
-
Implement a server-side allowlist of approved model_name values; reject any value not matching an explicitly vetted list — substring matching on user input must never gate trust_remote_code loading.
-
Hunt for exploitation: inspect process trees for unexpected child processes spawned by the OpenMed service, audit outbound network connections to unfamiliar hosts, review model loading logs for non-standard or external model names.
-
Apply least-privilege to the OpenMed service account — it should not have filesystem or network access beyond its strict operational need.
-
Network-segment the OpenMed service to prevent lateral movement.
-
Block outbound HTTPS to huggingface.co from production clinical systems as defense-in-depth.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-47117?
OpenMed before v1.5.2 exposes a critical unauthenticated RCE (CVSS 9.8) in its PII privacy-filter dispatcher: user-supplied model_name values undergo only broad substring matching, meaning a repository named attacker/foo-privacy-filter-bar is routed to a code path that loads it from Hugging Face with trust_remote_code=True, executing any Python code embedded via auto_map in config.json or tokenizer_config.json under the OpenMed service account privileges — no credentials, no user interaction required. Healthcare and life-sciences organizations using OpenMed to process PHI should treat this as emergency-priority: the exploit is technically trivial, requiring only a free Hugging Face account and one crafted HTTP request, and the attack surface is any network-reachable OpenMed instance. Patch immediately to v1.5.2; if patching cannot happen within hours, block the privacy-filter endpoint at the perimeter and restrict outbound HTTPS to huggingface.co from production servers as a stopgap.
Is CVE-2026-47117 actively exploited?
No confirmed active exploitation of CVE-2026-47117 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-47117?
1. Patch to OpenMed >= 1.5.2 immediately. 2. Until patched: block or rate-limit the privacy-filter endpoint at WAF/load-balancer layer for all external sources. 3. Implement a server-side allowlist of approved model_name values; reject any value not matching an explicitly vetted list — substring matching on user input must never gate trust_remote_code loading. 4. Hunt for exploitation: inspect process trees for unexpected child processes spawned by the OpenMed service, audit outbound network connections to unfamiliar hosts, review model loading logs for non-standard or external model names. 5. Apply least-privilege to the OpenMed service account — it should not have filesystem or network access beyond its strict operational need. 6. Network-segment the OpenMed service to prevent lateral movement. 7. Block outbound HTTPS to huggingface.co from production clinical systems as defense-in-depth.
What systems are affected by CVE-2026-47117?
This vulnerability affects the following AI/ML architecture patterns: Medical AI and clinical NLP pipelines, PII/PHI anonymization pipelines, Model serving with dynamic external model loading, Healthcare data processing pipelines.
What is the CVSS score for CVE-2026-47117?
CVE-2026-47117 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.92%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0018.002 Embed Malware AML.T0049 Exploit Public-Facing Application AML.T0058 Publish Poisoned Models AML.T0072 Reverse Shell AML.T0074 Masquerading Compliance Controls Affected
What are the technical details?
Original Advisory
OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied model_name parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path that loads Hugging Face models with trust_remote_code=True. An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json, which is imported and executed with the privileges of the OpenMed service process.
Exploitation Scenario
An attacker identifies a public-facing OpenMed instance via banner scanning or healthcare service registries. They create a free Hugging Face account and publish a repository named attacker/clinical-privacy-filter-loader containing a legitimate-looking config.json with an auto_map entry pointing to a custom Python class that downloads and executes a reverse shell payload. The attacker sends a single unauthenticated HTTP POST to the OpenMed privacy-filter endpoint with model_name=attacker/clinical-privacy-filter-loader. OpenMed's dispatcher finds 'privacy-filter' as a substring match and invokes the Hugging Face loader with trust_remote_code=True, fetching and importing the malicious class, establishing a reverse shell to attacker C2 infrastructure — all within seconds, leaving only routine Transformers import traces in application logs.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/maziyarpanahi/openmed/commit/98724f65df98d7518b9006e6356740aa36c2f224
- github.com/maziyarpanahi/openmed/pull/59
- github.com/maziyarpanahi/openmed/releases/tag/v1.5.2
- vulncheck.com/advisories/openmed-remote-code-execution-via-pii-model-loading
- github.com/advisories/GHSA-m3v4-v5gx-7wf5
- nvd.nist.gov/vuln/detail/CVE-2026-47117
Timeline
Related Vulnerabilities
CVE-2026-26210 9.8 KTransformers: pickle RCE via unauthenticated ZMQ socket
Same package: transformers CVE-2024-3568 9.6 HuggingFace Transformers: RCE via pickle deserialization
Same package: transformers CVE-2026-5241 9.6 transformers: trust_remote_code bypass enables RCE via model load
Same package: transformers CVE-2024-11393 8.8 Transformers: RCE via MaskFormer model deserialization
Same package: transformers CVE-2023-6730 8.8 HuggingFace Transformers: RCE via unsafe deserialization
Same package: transformers