CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 06, 2026

Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks

Cybersecurity News Archived Jun 06, 2026 ✓ Full text saved

A newly disclosed critical vulnerability in the HuggingFace Transformers library, tracked as CVE-2026-4372, allows attackers to achieve remote code execution (RCE) through malicious model configuration files. The flaw exposes a significant supply chain risk in one of the most widely used machine learning frameworks, impacting developers, enterprises, and AI pipelines globally. The vulnerability stems from […] The post Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks By Abinaya June 6, 2026 A newly disclosed critical vulnerability in the HuggingFace Transformers library, tracked as CVE-2026-4372, allows attackers to achieve remote code execution (RCE) through malicious model configuration files. The flaw exposes a significant supply chain risk in one of the most widely used machine learning frameworks, impacting developers, enterprises, and AI pipelines globally. The vulnerability stems from improper handling of untrusted data in model configuration files, specifically in the _attn_implementation_internal attribute. Attackers can inject this field into a model’s config.json, causing the library to load and execute arbitrary Python code during the standard model loading process. This occurs even when the security control trust_remote_code=False is enforced, effectively bypassing a key protection mechanism. HuggingFace Flaw Enables RCE The Kill Chain (Source: Pluto) The issue affects Transformers versions 4.56.0 through 5.2.x when used with the optional kernels package. The vulnerable code path was introduced in August 2025. It remained exploitable until March 2026, creating an exposure window of approximately six months. During this period, any user loading a malicious model from HuggingFace Hub using the common from_pretrained() function could be silently compromised. In a typical attack scenario, a threat actor uploads a seemingly legitimate model to HuggingFace Hub. The model includes a crafted config.json file that contains the malicious _attn_implementation_internal field, which points to an attacker-controlled repository. When a victim loads the model, the Transformers library automatically downloads and imports the referenced code without validation or sandboxing. This leads to immediate code execution on the victim’s system. Successful exploitation enables attackers to access sensitive data, including AWS credentials, SSH keys, API tokens, and environment variables. It also enables persistence mechanisms, lateral movement across infrastructure, and potential compromise of CI/CD pipelines. Scale of Exposure (source:Pluto) Because the attack executes during normal model loading, it produces no warnings or visible indicators, making detection extremely difficult. The scale of impact is substantial. The Transformers library has over 2.2 billion installs and processes approximately 146 million downloads per month. With more than one million models hosted on HuggingFace Hub, the attack surface is extensive. During the exposure period, an estimated 232 million installations were vulnerable, increasing the likelihood of real-world exploitation. Researchers at Pluto Security noted that the vulnerability highlights a broader issue in machine learning ecosystems: treating model files and configurations as trusted inputs. Similar patterns have been observed in other frameworks, where “safe” modes fail to prevent code execution because internal pathways are not fully accounted for. HuggingFace addressed the issue in version 5.3.0 by blocking unsafe internal attributes during configuration parsing and enforcing stricter controls on kernel loading. The fix also ensures that external code execution requires explicit user consent via trust_remote_code=True. Organizations using Transformers are strongly advised to upgrade to version 5.3.0 or later immediately. Additionally, teams should audit previously downloaded models, monitor for suspicious outbound connections, and isolate model execution environments to reduce risk. CVE-2026-4372 underscores the growing importance of securing AI supply chains. As machine learning adoption accelerates, attackers are increasingly targeting model distribution platforms, turning trusted workflows into high-impact attack vectors. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access Latest News Cyber Security OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects Cyber Security News Anthropic’s Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated] Cyber Security News Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser Cyber Security News Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware Cyber Security News New Magecart Attack Turns Stripe into a Malware Command Server
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 06, 2026
    Archived
    Jun 06, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗