Remote Code Execution in LLaMA-Factory

Executive Summary

CVE-2026-58116 is a critical remote code execution vulnerability in LLaMA-Factory WebUI versions up to 0.9.5. It arises because the application does not validate user input supplied in the model path field of the Chat or Training interfaces. This input is passed directly to the Hugging Face transformers library functions AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded parameter trust_remote_code=True.

This setting causes the library to fetch and execute arbitrary Python code from the specified remote or local model repository with the privileges of the server process. An attacker can exploit this by providing a malicious model path pointing to a crafted repository containing executable code, which the server then runs, leading to remote code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with access to the WebUI to execute arbitrary Python code on the server hosting LLaMA-Factory. Because the code runs with the server's privileges, the attacker can potentially take full control of the server, leading to data theft, service disruption, unauthorized access to sensitive information, or further network compromise.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious usage of the WebUI's model path input fields, especially any attempts to load models from untrusted or unusual Hugging Face repositories or local paths.

Since the vulnerability arises from the application passing unvalidated model path inputs to AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with trust_remote_code=True, one detection approach is to audit logs or monitor network traffic for requests that include suspicious model path strings or repository identifiers.

Specific commands are not provided in the resources, but general recommendations include:

• Review WebUI access logs for unusual or unauthorized model path inputs.
• Monitor outgoing network connections from the server process to external model repositories, especially unexpected or unknown URLs.
• Use file integrity monitoring to detect unexpected changes in local model directories.
• If possible, enable debugging or verbose logging in the application to capture model loading events.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling the hardcoded trust_remote_code=True setting in the application to prevent execution of arbitrary code from untrusted model repositories.

Implement input validation and allowlists to restrict model path inputs to only trusted and expected patterns or repositories.

Restrict access to the WebUI to trusted users only, as the vulnerability requires WebUI access to be exploited.

Consider updating or patching the application to a version where this vulnerability is fixed, if available.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote code execution with the privileges of the server process by executing arbitrary Python code from untrusted model repositories. This can lead to unauthorized access, data breaches, or manipulation of sensitive data handled by the affected system.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Organizations using vulnerable versions of LLaMA-Factory may face increased risk of non-compliance due to the possibility of attackers exploiting this flaw to access or alter protected data.

Useful 0 Not Useful 0