CVE-2026-5241: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in huggingface huggingface/transformers
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
AI Analysis
Technical Summary
The vulnerability arises in huggingface/transformers 5.2.0 within the LightGlue model loading path. When loading a LightGlue model via AutoModel.from_pretrained() with trust_remote_code set to false, the LightGlueConfig improperly reads the trust_remote_code value from an untrusted config.json file. This value then propagates into nested AutoConfig.from_pretrained() calls, allowing attacker-supplied Python modules to execute despite the user's explicit disabling of remote code execution. This CWE-829 issue (Inclusion of Functionality from Untrusted Control Sphere) enables arbitrary code execution from attacker-controlled model repositories, posing a significant risk in various deployment environments.
Potential Impact
Successful exploitation allows arbitrary code execution during model initialization, which can lead to credential theft, lateral movement within networks, or deployment of persistent backdoors. The vulnerability undermines the security controls intended to prevent remote code execution in the transformers library, increasing the risk to systems that load models from untrusted sources.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid loading models from untrusted or unverified repositories, especially in sensitive environments. Explicitly verifying the source and integrity of model repositories before loading is recommended. Monitor the huggingface project advisories for updates or patches addressing this issue.
CVE-2026-5241: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in huggingface huggingface/transformers
Description
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
CVSS v3.0
Score 8.0high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises in huggingface/transformers 5.2.0 within the LightGlue model loading path. When loading a LightGlue model via AutoModel.from_pretrained() with trust_remote_code set to false, the LightGlueConfig improperly reads the trust_remote_code value from an untrusted config.json file. This value then propagates into nested AutoConfig.from_pretrained() calls, allowing attacker-supplied Python modules to execute despite the user's explicit disabling of remote code execution. This CWE-829 issue (Inclusion of Functionality from Untrusted Control Sphere) enables arbitrary code execution from attacker-controlled model repositories, posing a significant risk in various deployment environments.
Potential Impact
Successful exploitation allows arbitrary code execution during model initialization, which can lead to credential theft, lateral movement within networks, or deployment of persistent backdoors. The vulnerability undermines the security controls intended to prevent remote code execution in the transformers library, increasing the risk to systems that load models from untrusted sources.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid loading models from untrusted or unverified repositories, especially in sensitive environments. Explicitly verifying the source and integrity of model repositories before loading is recommended. Monitor the huggingface project advisories for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-03-31T14:26:14.353Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2037c7e29bf47b50c14ed8
Added to database: 6/3/2026, 2:18:47 PM
Last enriched: 6/3/2026, 2:48:27 PM
Last updated: 6/4/2026, 4:59:13 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.