Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks

HomeCyber Security News Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks By Abinaya April 29, 2026 A critical, currently unpatched remote code execution (RCE) vulnerability has been disclosed in LeRobot, Hugging Face’s popular open-source machine learning framework for real-world robotics. Tracked as CVE-2026-25874 with a critical CVSS score of 9.3, the flaw allows unauthenticated attackers to execute arbitrary system commands on vulnerable host machines. With nearly 24,000 stars on GitHub, this vulnerability poses a severe risk to AI infrastructure, connected robots, and sensitive proprietary data. Insecure Pickle Deserialization According to the detailed proof-of-concept published by Chocapikk, shows the flaw in the async inference module, which offloads heavy computations to a GPU server. The PolicyServer and RobotClient components use Python’s native pickle module to deserialize data transmitted over unauthenticated gRPC channels. Because the gRPC server uses add_insecure_port() without Transport Layer Security (TLS) or authentication, anyone with network access can connect directly to the service. By sending a maliciously crafted serialized payload via RPC handlers such as SendPolicyInstructions or SendObservations, attackers can trigger automatic arbitrary code execution. The malicious payload executes immediately during the pickle.loads() process, long before the system performs any data type validation. Exploiting this vulnerability requires no credentials and no complex attack chains. Because AI inference servers typically run with elevated system privileges to manage expensive GPU resources and massive datasets, a successful breach is devastating. Attackers could gain complete administrative control over the host machine. They can move laterally across the internal network, corrupt machine learning models, exfiltrate Hugging Face API keys, and potentially sabotage the physical operations of connected robots. The vulnerability actively affects LeRobot versions up to 0.5.1.. Chocapikk security researchers emphasized a glaring irony in this codebase: Hugging Face originally developed the safetensors format specifically to eliminate the severe security risks associated with pickle serialization. Despite creating the safe alternative, LeRobot developers used the unsafe pickle format for convenience. Furthermore, Chocapikk discovered the source code contained # nosec tags directly next to the pickle.loads() calls. These comments were deliberately placed to suppress automated security linter warnings that accurately flagged the vulnerability during development. Mitigation Strategies A permanent patch replacing pickle with safetensors and JSON is planned for LeRobot version 0.6.0 Until this official fix is deployed, organizations must implement immediate defensive measures: Restrict network access to ensure the LeRobot async inference server is never exposed to untrusted networks or the public internet. Bind the server strictly to localhost rather than 0.0.0.0 to block all external connection attempts. Implement strong API gateways, VPNs, and network-level firewalls to enforce strict authentication before traffic reaches the gRPC port. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data OilRig Hides C2 Configuration in Google Drive Image Using LSB Steganography Hackers Abuse Fake Wallpaper App and YouTube Channel to Spread notnullOSX Malware Popular PyPI Package With 1 Million Monthly Downloads Hacked to Inject Malicious Scripts Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild Latest News Cyber Security News New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi Cyber Security News New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures Cyber Security News cPanel Warns of Critical Authentication Flaw – Emergency Patch Released ANY.RUN New BlobPhish Attack Leverages Browser Blob Objects to Steal Users’ Login Credentials Cyber Security Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise