Executive Summary

CVE-2026-46517 is a security vulnerability in the LMDeploy toolkit, which is used for compressing, deploying, and serving large language models. In versions 0.12.3 and earlier, the parameter "trust_remote_code" is hardcoded to True in multiple functions. This setting allows remote code execution (RCE) from untrusted model repositories without the user's consent or opt-out.

Specifically, this means that malicious Python code embedded in a model repository's configuration files can execute automatically when a model is loaded, potentially compromising the user's system.

Unlike other frameworks that default to a secure setting ("trust_remote_code=False") and allow users to opt-in, LMDeploy forces this insecure behavior with no option to disable it. This affects users running commands like "lmdeploy serve api_server <attacker_repo>" and exposes casual users, CI pipelines, and researchers to supply-chain RCE attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in LMDeploy allows remote code execution (RCE) without user opt-in, which can lead to unauthorized code running on a user's machine. This type of security flaw can compromise the confidentiality, integrity, and availability of data processed or stored by affected systems.

Such unauthorized code execution risks violating common security requirements embedded in standards and regulations like GDPR and HIPAA, which mandate protecting personal and sensitive data from unauthorized access and ensuring secure processing environments.

Because LMDeploy's hardcoded trust_remote_code=True setting enables supply-chain RCE attacks, organizations using affected versions may face challenges in maintaining compliance with these regulations until the vulnerability is patched or mitigated.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it enables remote code execution on your machine without your explicit permission. An attacker can execute arbitrary Python code by tricking LMDeploy into loading a malicious model repository.

• Full remote code execution (RCE) on the user's machine.
• Potential compromise of sensitive data and system integrity.
• In multi-tenant cloud environments, the severity could escalate to critical, potentially allowing attackers to affect other tenants or escalate privileges.
• Users, CI pipelines, and researchers who unknowingly load untrusted repositories are at risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the LMDeploy version in use is 0.12.3 or earlier and if the parameter `trust_remote_code=True` is hardcoded or implicitly enabled in the functions used to load models.

Since LMDeploy does not provide a CLI flag, environment variable, or parameter to disable this behavior, detection involves inspecting the commands and code usage patterns.

• Check the LMDeploy version: `lmdeploy --version` or inspect the installed package version.
• Look for usage of commands like `lmdeploy serve api_server <model_repo>` where `<model_repo>` could be untrusted.
• Audit the source code or scripts for hardcoded `trust_remote_code=True` in functions such as `get_model_arch` or `load_hf_from_pretrained`.
• Monitor network activity for unexpected outbound connections or suspicious behavior when loading models from external repositories.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of LMDeploy versions 0.12.3 and earlier until a patch is released.

Do not load models from untrusted or unknown repositories, especially when using commands like `lmdeploy serve api_server <model_repo>`.

Review and restrict access to systems running LMDeploy to prevent unauthorized or accidental execution of malicious code.

Monitor for updates or patches from the LMDeploy project that introduce a secure default for `trust_remote_code` and apply them as soon as they become available.

Useful 0 Not Useful 0