A vulnerability marked as problematic has been reported in huggingface transformers up to 5.2.x . This vulnerability affects the function AutoModelForCausalLM.from_pretrained of the file config.json . This manipulation of the argument _attn_implementation_internal causes missing serialization control element. This vulnerability is tracked as CVE-2026-4372 . The attack is restricted to local execution. No exploit exists. It is suggested to upgrade the affected component.