Critical vulnerability in Hugging Face Transformers library allowed arbitrary code execution

Coverage from Silicon Angle indicates a critical remote code execution vulnerability has been disclosed in Hugging Face Inc.’s Transformers library. This flaw allowed attacker-controlled artificial intelligence models to run arbitrary code on a victim’s machine, bypassing standard security measures.

The vulnerability, tracked as CVE-2026-4372, was exploitable through a standard model-loading command, even when Hugging Face’s recommended security setting "trust_remote_code=False" was enabled. Attackers could embed a malicious payload within a model's configuration file, which would then execute silently upon loading the model using the "from_pretrained()" function. This bypasses previous security assumptions that disabling remote code execution protected users.

Vulnerable versions of the Transformers library, specifically versions 4.56.0 through 5.2.x when the "kernels" package was installed, were downloaded an estimated 232 million times in the six months the flaw was active. Successful exploitation could lead to the theft of sensitive data such as cloud credentials, API keys, SSH keys, and proprietary datasets, with enterprise AI platforms and automated model evaluation pipelines being particularly exposed targets. Hugging Face has since released a patch in version 5.3.0, recommending immediate upgrades and urging organizations to treat model loading as a code execution surface.

Source: Silicon Angle