Critical RCE in Hugging Face Transformers Allows Attacks

A critical vulnerability, tracked as CVE-2026-4372, has been disclosed in the HuggingFace Transformers library. This flaw allows attackers to achieve remote code execution (RCE) by leveraging malicious model configuration files.

The flaw exposes a significant supply chain risk in one of the most widely used machine learning frameworks, impacting developers, enterprises, and AI pipelines globally.

The vulnerability stems from improper handling of untrusted data in model configuration files, specifically in the _attn_implementation_internal attribute.

Attackers can inject this field into a model’s config.json, causing the library to load and execute arbitrary Python code during the standard model loading process.

This occurs even when the security control trust_remote_code=False is enforced, effectively bypassing a key protection mechanism.

HuggingFace Flaw Enables RCE

The issue affects Transformers versions 4.56.0 through 5.2.x when used with the optional kernels package.

The vulnerable code path was introduced in August 2025. It remained exploitable until March 2026, creating an exposure window of approximately six months.

During this period, any user loading a malicious model from HuggingFace Hub using the common from_pretrained() function could be silently compromised.

In a typical attack scenario, a threat actor uploads a seemingly legitimate model to HuggingFace Hub. The model includes a crafted config.json file that contains the malicious _attn_implementation_internal field, which points to an attacker-controlled repository.

When a victim loads the model, the Transformers library automatically downloads and imports the referenced code without validation or sandboxing. This leads to immediate code execution on the victim’s system.

Successful exploitation enables attackers to access sensitive data, including AWS credentials, SSH keys, API tokens, and environment variables.

It also enables persistence mechanisms, lateral movement across infrastructure, and potential compromise of CI/CD pipelines.

Because the attack executes during normal model loading, it produces no warnings or visible indicators, making detection extremely difficult.

The scale of impact is substantial. The Transformers library has over 2.2 billion installs and processes approximately 146 million downloads per month.

With more than one million models hosted on HuggingFace Hub, the attack surface is extensive. During the exposure period, an estimated 232 million installations were vulnerable, increasing the likelihood of real-world exploitation.

Researchers at Pluto Security noted that the vulnerability highlights a broader issue in machine learning ecosystems: treating model files and configurations as trusted inputs.

Similar patterns have been observed in other frameworks, where “safe” modes fail to prevent code execution because internal pathways are not fully accounted for.

HuggingFace addressed the issue in version 5.3.0 by blocking unsafe internal attributes during configuration parsing and enforcing stricter controls on kernel loading.

The fix also ensures that external code execution requires explicit user consent via trust_remote_code=True. Organizations using Transformers are strongly advised to upgrade to version 5.3.0 or later immediately.

Additionally, teams should audit previously downloaded models, monitor for suspicious outbound connections, and isolate model execution environments to reduce risk.

CVE-2026-4372 underscores the growing importance of securing AI supply chains. As machine learning adoption accelerates, attackers are increasingly targeting model distribution platforms, turning trusted workflows into high-impact attack vectors.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.