CVE-2026-6859: InstructLab RCE — HIGH

Q: Is CVE-2026-6859 actively exploited?

No confirmed active exploitation of CVE-2026-6859 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-6859?

1. Immediate: Restrict ilab train/download/generate to models from verified, internally-curated HuggingFace namespaces only. Prohibit ad-hoc model pulls from the public Hub. 2. Audit existing InstructLab workflows — review which models have been loaded and check for unexpected files, processes, or network connections. 3. Workaround: Manually inspect model repository files (especially config.json and any .py files) before loading. Reject any model containing custom Python code unless fully reviewed by a human. 4. Detection: Monitor for unexpected child processes spawned by Python during ilab execution, particularly outbound network connections or filesystem writes outside expected training directories. 5. Patch: Track the upstream fix at https://github.com/advisories/GHSA-rxpq-xgqx-fr7p and apply immediately when available. 6. Sandbox: Run InstructLab in isolated containers with no access to sensitive credentials, secrets, or production network resources.

Q: What systems are affected by CVE-2026-6859?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model fine-tuning, LLM development workflows, CI/CD ML pipelines.

Q: What is the CVSS score for CVE-2026-6859?

CVE-2026-6859 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.14%.

CISO Take

InstructLab's linux_train.py permanently hardcodes trust_remote_code=True when loading models from HuggingFace, meaning any model a user downloads and runs with ilab train, download, or generate commands can execute arbitrary Python code on their machine without any warning or consent prompt. This is a CVSS 8.8 supply chain attack vector targeting AI development and fine-tuning workflows — any team using InstructLab to train or experiment with models is at risk if they pull from an untrusted or compromised HuggingFace repository. With an EPSS score placing this in the top 68th percentile and a CISA SSVC designation of TRACK, exploitation is plausible even though no public exploit exists yet, and critically, no patch is available for affected versions (≤ 0.26.1). Until a fix ships, prohibit ilab commands against models from unverified HuggingFace sources, manually audit model files before loading, and monitor for unexpected process execution during training runs.

Sources: NVD EPSS GitHub Advisory CISA KEV ATLAS

What is the risk?

HIGH. While exploitation requires social engineering — a user must run ilab with an attacker-supplied model — the hardcoded trust_remote_code=True removes every safety net: users receive no warning, no prompt, and no ability to opt out. AI/ML teams running InstructLab in local or CI/CD training environments are silently and completely exposed to RCE. The attack is low-complexity once the malicious model is published, and HuggingFace Hub's scale makes victim discovery trivial. No patch exists as of disclosure, elevating residual risk for all currently deployed InstructLab instances.

How does the attack unfold?

Publish Malicious Model

Adversary creates a HuggingFace repository containing a model with embedded malicious Python code in custom modeling files, disguised as a legitimate fine-tuned variant.

AML.T0058

Social Engineering

Adversary promotes the malicious model via ML forums, community posts, or direct outreach to InstructLab users, convincing them to download and train with it.

AML.T0011

Automatic Code Execution

User runs ilab train/download/generate; InstructLab loads the model with hardcoded trust_remote_code=True, automatically importing and executing the attacker's malicious Python code.

AML.T0011.000

Full System Compromise

Attacker achieves arbitrary code execution with victim's privileges, enabling credential theft, reverse shell establishment, data exfiltration, or persistent backdoor installation.

AML.T0072

Publish Malicious Model

Adversary creates a HuggingFace repository containing a model with embedded malicious Python code in custom modeling files, disguised as a legitimate fine-tuned variant.

AML.T0058

Social Engineering

Adversary promotes the malicious model via ML forums, community posts, or direct outreach to InstructLab users, convincing them to download and train with it.

AML.T0011

Automatic Code Execution

User runs ilab train/download/generate; InstructLab loads the model with hardcoded trust_remote_code=True, automatically importing and executing the attacker's malicious Python code.

AML.T0011.000

Full System Compromise

Attacker achieves arbitrary code execution with victim's privileges, enabling credential theft, reverse shell establishment, data exfiltration, or persistent backdoor installation.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
InstructLab	pip	<= 0.26.1	No patch
1.4K Pushed 2mo ago 0% patched Full package profile →

Do you use InstructLab? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Immediate: Restrict ilab train/download/generate to models from verified, internally-curated HuggingFace namespaces only. Prohibit ad-hoc model pulls from the public Hub.
Audit existing InstructLab workflows — review which models have been loaded and check for unexpected files, processes, or network connections.
Workaround: Manually inspect model repository files (especially config.json and any .py files) before loading. Reject any model containing custom Python code unless fully reviewed by a human.
Detection: Monitor for unexpected child processes spawned by Python during ilab execution, particularly outbound network connections or filesystem writes outside expected training directories.
Patch: Track the upstream fix at https://github.com/advisories/GHSA-rxpq-xgqx-fr7p and apply immediately when available.
Sandbox: Run InstructLab in isolated containers with no access to sensitive credentials, secrets, or production network resources.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Model Training Data AML.T0010.003 - Model AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.7.3 - AI Supply Chain Management

NIST AI RMF

MANAGE 2.2 - AI Risk from Third Parties

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-6859?

InstructLab's linux_train.py permanently hardcodes trust_remote_code=True when loading models from HuggingFace, meaning any model a user downloads and runs with ilab train, download, or generate commands can execute arbitrary Python code on their machine without any warning or consent prompt. This is a CVSS 8.8 supply chain attack vector targeting AI development and fine-tuning workflows — any team using InstructLab to train or experiment with models is at risk if they pull from an untrusted or compromised HuggingFace repository. With an EPSS score placing this in the top 68th percentile and a CISA SSVC designation of TRACK, exploitation is plausible even though no public exploit exists yet, and critically, no patch is available for affected versions (≤ 0.26.1). Until a fix ships, prohibit ilab commands against models from unverified HuggingFace sources, manually audit model files before loading, and monitor for unexpected process execution during training runs.

Is CVE-2026-6859 actively exploited?

No confirmed active exploitation of CVE-2026-6859 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6859?

1. Immediate: Restrict ilab train/download/generate to models from verified, internally-curated HuggingFace namespaces only. Prohibit ad-hoc model pulls from the public Hub. 2. Audit existing InstructLab workflows — review which models have been loaded and check for unexpected files, processes, or network connections. 3. Workaround: Manually inspect model repository files (especially config.json and any .py files) before loading. Reject any model containing custom Python code unless fully reviewed by a human. 4. Detection: Monitor for unexpected child processes spawned by Python during ilab execution, particularly outbound network connections or filesystem writes outside expected training directories. 5. Patch: Track the upstream fix at https://github.com/advisories/GHSA-rxpq-xgqx-fr7p and apply immediately when available. 6. Sandbox: Run InstructLab in isolated containers with no access to sensitive credentials, secrets, or production network resources.

What systems are affected by CVE-2026-6859?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model fine-tuning, LLM development workflows, CI/CD ML pipelines.

What is the CVSS score for CVE-2026-6859?

CVE-2026-6859 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.14%.

What is the AI security impact?

Affected AI Architectures

Training pipelinesModel fine-tuningLLM development workflowsCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.7.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.

Exploitation Scenario

An adversary creates a HuggingFace repository containing a model with a malicious custom modeling_*.py file that executes a reverse shell or credential harvester when imported. The model is given a convincing name — a fine-tuned Granite or Llama variant — and promoted via ML forums, LinkedIn posts, or direct outreach to InstructLab users. When the victim runs `ilab model download --repository attacker/malicious-model` followed by `ilab model train`, InstructLab's linux_train.py loads the model with trust_remote_code=True, automatically importing and executing the attacker's Python code with no user confirmation. The adversary achieves immediate arbitrary code execution with the victim's user privileges — no further exploitation steps required.

Weaknesses (CWE)

CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.

Source: MITRE CWE corpus.