CVE-2026-5241
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Hugging Face Transformers LightGlue

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: huntr.dev

Description
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-5241
EUVD
EUVD-2026-34084
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface transformers 5.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the LightGlue model loading path of the huggingface/transformers library version 5.2.0. It allows an attacker-controlled model repository to execute arbitrary code during model initialization.

The root cause is that the `trust_remote_code` parameter, which is supposed to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code` set to false, the `LightGlueConfig` reads the `trust_remote_code` value from an untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls.

This results in the execution of attacker-provided Python modules even when the user explicitly disables remote code execution, leading to a high security risk.

Impact Analysis

This vulnerability can have serious impacts in environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers.

  • An attacker can execute arbitrary code during model initialization.
  • This can lead to credential theft.
  • It can enable lateral movement within a network.
  • Attackers may deploy persistence mechanisms or backdoors.
Detection Guidance

Detection of this vulnerability involves checking for the presence and usage of the `trust_remote_code` parameter in the LightGlue model loading process within the Hugging Face Transformers library.

Specifically, you can audit your codebase or runtime environment for calls to `AutoModel.from_pretrained()` that load LightGlue models with `trust_remote_code` set to True or False, as the vulnerability arises when this parameter is overridden by untrusted configuration data.

Since the vulnerability is related to the use of untrusted serialized configuration files (`config.json`), you can also inspect these files in your model repositories for unexpected or suspicious entries related to `trust_remote_code`.

While no explicit commands are provided in the resources, a practical approach includes grepping your code or logs for `trust_remote_code` usage, for example:

  • grep -r 'trust_remote_code' /path/to/your/project
  • Review the `config.json` files in your model directories for the `trust_remote_code` field.
  • Monitor your environment for unexpected Python module executions during model initialization, which may require custom logging or instrumentation.
Mitigation Strategies

To mitigate this vulnerability, you should update the Hugging Face Transformers library to a version that includes the fix removing the `trust_remote_code` parameter from the LightGlue model loading path.

The fix involves eliminating the unsafe feature that allowed arbitrary code execution by ignoring the `trust_remote_code` parameter in untrusted configurations and enforcing a new security rule (TRF014) that prevents its use in native model integrations.

Additionally, review and restrict model repositories to trusted sources only, and avoid loading models from untrusted or unknown repositories.

If you maintain API inference servers, research notebooks, CI/CD pipelines, or model evaluation workers, ensure they are running the patched version and consider auditing model loading code to confirm compliance.

Compliance Impact

The vulnerability allows attacker-controlled code execution during model initialization, which can lead to credential theft, lateral movement, or persistence/backdoor deployment. Such security breaches can compromise sensitive data and system integrity.

This risk can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and breaches.

By enabling arbitrary code execution, the vulnerability undermines the security measures necessary to maintain data confidentiality and integrity, potentially leading to violations of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart