CVE-2026-5241
Remote Code Execution in Hugging Face Transformers LightGlue
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | 5.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attacker-controlled code execution during model initialization, which can lead to credential theft, lateral movement, or persistence/backdoor deployment. Such security breaches can compromise sensitive data and system integrity.
This risk can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and breaches.
By enabling arbitrary code execution, the vulnerability undermines the security measures necessary to maintain data confidentiality and integrity, potentially leading to violations of these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in the LightGlue model loading path of the huggingface/transformers library version 5.2.0. It allows an attacker-controlled model repository to execute arbitrary code during model initialization.
The root cause is that the `trust_remote_code` parameter, which is supposed to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code` set to false, the `LightGlueConfig` reads the `trust_remote_code` value from an untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls.
This results in the execution of attacker-provided Python modules even when the user explicitly disables remote code execution, leading to a high security risk.
How can this vulnerability impact me? :
This vulnerability can have serious impacts in environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers.
- An attacker can execute arbitrary code during model initialization.
- This can lead to credential theft.
- It can enable lateral movement within a network.
- Attackers may deploy persistence mechanisms or backdoors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence and usage of the `trust_remote_code` parameter in the LightGlue model loading process within the Hugging Face Transformers library.
Specifically, you can audit your codebase or runtime environment for calls to `AutoModel.from_pretrained()` that load LightGlue models with `trust_remote_code` set to True or False, as the vulnerability arises when this parameter is overridden by untrusted configuration data.
Since the vulnerability is related to the use of untrusted serialized configuration files (`config.json`), you can also inspect these files in your model repositories for unexpected or suspicious entries related to `trust_remote_code`.
While no explicit commands are provided in the resources, a practical approach includes grepping your code or logs for `trust_remote_code` usage, for example:
- grep -r 'trust_remote_code' /path/to/your/project
- Review the `config.json` files in your model directories for the `trust_remote_code` field.
- Monitor your environment for unexpected Python module executions during model initialization, which may require custom logging or instrumentation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Hugging Face Transformers library to a version that includes the fix removing the `trust_remote_code` parameter from the LightGlue model loading path.
The fix involves eliminating the unsafe feature that allowed arbitrary code execution by ignoring the `trust_remote_code` parameter in untrusted configurations and enforcing a new security rule (TRF014) that prevents its use in native model integrations.
Additionally, review and restrict model repositories to trusted sources only, and avoid loading models from untrusted or unknown repositories.
If you maintain API inference servers, research notebooks, CI/CD pipelines, or model evaluation workers, ensure they are running the patched version and consider auditing model loading code to confirm compliance.