CVE-2026-47117
Remote Code Execution in OpenMed Privacy-Filter Model
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maziyarpanahi | openmed | to 1.5.2 (exc) |
| maziyarpanahi | openmed | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
OpenMed versions before 1.5.2 contain a critical remote code execution vulnerability in the PII privacy-filter model loading path.
The vulnerability arises because the privacy-filter dispatcher uses broad substring matching on the user-supplied model_name parameter. This allows an attacker to craft a malicious model name, such as attacker/foo-privacy-filter-bar, which bypasses restrictions and causes the system to load a Hugging Face model with trust_remote_code=True enabled.
An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json. This code is then imported and executed with the privileges of the OpenMed service process, enabling arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the system running OpenMed with the same privileges as the OpenMed service process.
Such remote code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of service, and potential further exploitation within the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your OpenMed installation is running a version prior to 1.5.2 and if it processes model names with broad substring matching that could allow malicious model names containing "privacy-filter" to load untrusted code.
You can check the OpenMed version installed by running a command like:
- openmed --version
To detect suspicious activity or exploitation attempts, monitor logs or network traffic for requests containing unusual model_name parameters resembling attacker/foo-privacy-filter-bar or other unexpected model names containing "privacy-filter".
For example, you can search OpenMed service logs for such patterns using commands like:
- grep -i 'privacy-filter' /var/log/openmed/*.log
- grep -E 'attacker/.+-privacy-filter-.+' /var/log/openmed/*.log
Additionally, network monitoring tools can be used to detect HTTP requests with suspicious model_name parameters.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade OpenMed to version 1.5.2 or later, which includes security hardening to prevent this remote code execution vulnerability.
Version 1.5.2 introduces an explicit allowlist for trusted privacy-filter models, disables trust_remote_code by default, and restricts model name routing to prevent arbitrary model names from loading untrusted code.
If upgrading immediately is not possible, consider restricting access to the OpenMed service to trusted users only and monitor for suspicious model_name parameters containing "privacy-filter".
Operators can also configure the environment variable OPENMED_TRUSTED_REMOTE_CODE_MODELS to explicitly allow trusted custom or private fine-tuned models, reducing risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenMed before version 1.5.2 allows unauthenticated remote code execution via the PII privacy-filter model loading path. This flaw could lead to unauthorized access and execution of arbitrary code with the privileges of the OpenMed service process.
Since OpenMed handles Personally Identifiable Information (PII) and is used in healthcare AI contexts, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive personal data.
Such a compromise would negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and health information from unauthorized access and breaches.
Therefore, this vulnerability poses a significant risk to regulatory compliance by potentially enabling data breaches and unauthorized data manipulation.