transformers: trust_remote_code bypass enables RCE via model load — AWAITING NVD (CVE-2026-5241)

CISO Take

A critical vulnerability in HuggingFace Transformers 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization even when the caller explicitly sets trust_remote_code=False — the primary user-facing safety control for remote model loading. The attack works because LightGlueConfig silently reads trust_remote_code from the untrusted config.json and propagates it into nested AutoConfig calls, overriding the explicit flag with no warning. Transformers is among the most widely deployed ML libraries in production, making the blast radius extremely broad: API inference servers that accept dynamic model IDs, CI/CD pipelines that benchmark community models, and research notebook environments are all directly exposed with no available detection at the Python API layer. No public exploit code or CISA KEV listing exists at time of writing, but the attack requires only a HuggingFace account and a crafted model repository — a trivial barrier for any motivated actor. Immediately upgrade past 5.2.0, restrict AutoModel.from_pretrained() call sites to an allowlist of verified model IDs, and rotate all secrets accessible to any process that loaded untrusted models on the affected version.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH. The vulnerability defeats the primary user-facing control for safe model loading in Transformers, creating a dangerous false sense of security — developers who explicitly set trust_remote_code=False believe they are protected and will not apply additional mitigations. Exploitation requires only a HuggingFace account and upload access, placing it within reach of nation-state actors, financially motivated attackers, and opportunistic researchers alike. The attack surface is broad: any programmatic pipeline loading third-party or user-supplied model IDs is exposed. Successful exploitation yields RCE at the privilege level of the inference process, which in cloud environments typically means access to IAM roles, mounted secrets, and internal network segments. Although CVSS and EPSS scores are not yet published and no active exploitation is confirmed, the combination of trivial weaponization, wide deployment footprint, and high-impact post-exploitation outcomes justifies treating this as effectively Critical pending formal scoring.

Attack Kill Chain

Malicious Model Publish

Adversary publishes a crafted model repository to HuggingFace Hub with config.json containing trust_remote_code=true and a malicious modeling_lightglue.py payload module.

AML.T0058

Victim Model Load

Victim pipeline calls AutoModel.from_pretrained(attacker_model_id, trust_remote_code=False), believing the explicit False flag prevents remote code execution.

AML.T0011.000

Trust Flag Override

LightGlueConfig reads trust_remote_code=true from the attacker's config.json and silently propagates it into nested AutoConfig.from_pretrained() calls, overriding the caller's safety flag with no exception or warning.

AML.T0010.001

Code Execution and Credential Exfiltration

Attacker-provided Python module executes with inference process privileges, exfiltrating environment variable secrets, cloud credentials, and API keys, or deploying a persistent backdoor.

AML.T0055

Malicious Model Publish

Adversary publishes a crafted model repository to HuggingFace Hub with config.json containing trust_remote_code=true and a malicious modeling_lightglue.py payload module.

AML.T0058

Victim Model Load

Victim pipeline calls AutoModel.from_pretrained(attacker_model_id, trust_remote_code=False), believing the explicit False flag prevents remote code execution.

AML.T0011.000

Trust Flag Override

LightGlueConfig reads trust_remote_code=true from the attacker's config.json and silently propagates it into nested AutoConfig.from_pretrained() calls, overriding the caller's safety flag with no exception or warning.

AML.T0010.001

Code Execution and Credential Exfiltration

Attacker-provided Python module executes with inference process privileges, exfiltrating environment variable secrets, cloud credentials, and API keys, or deploying a persistent backdoor.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
161.1K OpenSSF 7.6 8.2K dependents Pushed 3d ago 40% patched ~96d to patch Full package profile →

Do you use transformers? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade huggingface/transformers to a version that includes commit 676559d or later, which fixes the trust_remote_code propagation path in LightGlueConfig. Verify the fix is present before deploying to inference infrastructure.
WORKAROUND (if immediate upgrade is blocked): Audit all AutoModel.from_pretrained() call sites in application and pipeline code; enforce an explicit allowlist of permitted model IDs or repository owner prefixes at the application layer, rejecting any model ID not on the list before the library call is made.
DETECTION

Search codebase and CI/CD configs for AutoModel.from_pretrained() calls that accept dynamic or externally supplied model IDs. Monitor inference worker processes for unexpected child process spawning or outbound network connections immediately following model load events.
SECRET ROTATION

If any pipeline loaded untrusted models on Transformers 5.2.0, treat all secrets accessible to that process as compromised — rotate API keys, cloud credentials, and database passwords.
DEFENCE IN DEPTH

Run model loading steps in sandboxed, network-egress-restricted containers with no access to production secrets, regardless of library version, to limit blast radius of any future model-loading vulnerability.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0055 - Unsecured Credentials AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system supply chain

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI supply chain risk management

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-5241?

A critical vulnerability in HuggingFace Transformers 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization even when the caller explicitly sets trust_remote_code=False — the primary user-facing safety control for remote model loading. The attack works because LightGlueConfig silently reads trust_remote_code from the untrusted config.json and propagates it into nested AutoConfig calls, overriding the explicit flag with no warning. Transformers is among the most widely deployed ML libraries in production, making the blast radius extremely broad: API inference servers that accept dynamic model IDs, CI/CD pipelines that benchmark community models, and research notebook environments are all directly exposed with no available detection at the Python API layer. No public exploit code or CISA KEV listing exists at time of writing, but the attack requires only a HuggingFace account and a crafted model repository — a trivial barrier for any motivated actor. Immediately upgrade past 5.2.0, restrict AutoModel.from_pretrained() call sites to an allowlist of verified model IDs, and rotate all secrets accessible to any process that loaded untrusted models on the affected version.

Is CVE-2026-5241 actively exploited?

No confirmed active exploitation of CVE-2026-5241 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-5241?

1. PATCH: Upgrade huggingface/transformers to a version that includes commit 676559d or later, which fixes the trust_remote_code propagation path in LightGlueConfig. Verify the fix is present before deploying to inference infrastructure. 2. WORKAROUND (if immediate upgrade is blocked): Audit all AutoModel.from_pretrained() call sites in application and pipeline code; enforce an explicit allowlist of permitted model IDs or repository owner prefixes at the application layer, rejecting any model ID not on the list before the library call is made. 3. DETECTION: Search codebase and CI/CD configs for AutoModel.from_pretrained() calls that accept dynamic or externally supplied model IDs. Monitor inference worker processes for unexpected child process spawning or outbound network connections immediately following model load events. 4. SECRET ROTATION: If any pipeline loaded untrusted models on Transformers 5.2.0, treat all secrets accessible to that process as compromised — rotate API keys, cloud credentials, and database passwords. 5. DEFENCE IN DEPTH: Run model loading steps in sandboxed, network-egress-restricted containers with no access to production secrets, regardless of library version, to limit blast radius of any future model-loading vulnerability.

What systems are affected by CVE-2026-5241?

This vulnerability affects the following AI/ML architecture patterns: model serving, CI/CD model evaluation pipelines, training pipelines, research notebooks, API inference servers.

What is the CVSS score for CVE-2026-5241?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

model servingCI/CD model evaluation pipelinestraining pipelinesresearch notebooksAPI inference servers

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0055 Unsecured Credentials

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM05:2025

Technical Details

Original Advisory

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

Exploitation Scenario

An adversary registers a legitimate-looking HuggingFace account and publishes a computer vision model named something plausible (e.g., 'lightglue-outdoor-v2'). The repository contains a config.json with trust_remote_code set to true and a modeling_lightglue.py that harvests environment variables and posts them to an attacker-controlled endpoint before returning a normal model object. A target organization's CI/CD pipeline automatically benchmarks vision models from HuggingFace Hub using AutoModel.from_pretrained(model_id, trust_remote_code=False). Despite the explicit False flag, LightGlueConfig reads trust_remote_code=true from the attacker's config.json and silently propagates it into the nested AutoConfig call, triggering execution of modeling_lightglue.py with the CI runner's credentials. The malicious code exfiltrates CI/CD secrets, cloud IAM tokens, and internal service credentials — all while the benchmark job exits normally with status 0, leaving no obvious indication of compromise in pipeline logs.