CVE-2026-44513: CWE-94: Improper Control of Generation of Code ('Code Injection') in huggingface diffusers
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.
AI Analysis
Technical Summary
The vulnerability in huggingface diffusers before 0.38.0 arises because the trust_remote_code security check is performed inside DiffusionPipeline.download() rather than at the actual dynamic module loading point. This design flaw allows attackers to bypass the check by using alternative code paths that do not invoke download(), such as specifying a custom_pipeline from a malicious repository or loading local snapshots with custom component files. As a result, arbitrary remote code can be executed even when trust_remote_code is set to false. The issue has three variants sharing this root cause. The vulnerability is addressed in version 0.38.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary remote code on the system running the vulnerable diffusers library, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS 3.1 score is 8.8 (high severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in diffusers version 0.38.0. Users should upgrade to version 0.38.0 or later to remediate this issue. There is no vendor advisory indicating alternative mitigations or that no action is required. Patch status is confirmed by the versioning information in the description. No cloud service is involved, so remediation is the responsibility of the user.
CVE-2026-44513: CWE-94: Improper Control of Generation of Code ('Code Injection') in huggingface diffusers
Description
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in huggingface diffusers before 0.38.0 arises because the trust_remote_code security check is performed inside DiffusionPipeline.download() rather than at the actual dynamic module loading point. This design flaw allows attackers to bypass the check by using alternative code paths that do not invoke download(), such as specifying a custom_pipeline from a malicious repository or loading local snapshots with custom component files. As a result, arbitrary remote code can be executed even when trust_remote_code is set to false. The issue has three variants sharing this root cause. The vulnerability is addressed in version 0.38.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary remote code on the system running the vulnerable diffusers library, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS 3.1 score is 8.8 (high severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in diffusers version 0.38.0. Users should upgrade to version 0.38.0 or later to remediate this issue. There is no vendor advisory indicating alternative mitigations or that no action is required. Patch status is confirmed by the versioning information in the description. No cloud service is involved, so remediation is the responsibility of the user.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T18:28:20.887Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05fd9fec166c07b0f93180
Added to database: 5/14/2026, 4:51:43 PM
Last enriched: 5/14/2026, 5:07:00 PM
Last updated: 5/15/2026, 5:44:49 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.