Critical RCE Vulnerability in HuggingFace Transformers Library Exposes AI Supply Chains
A newly disclosed critical vulnerability in the HuggingFace Transformers library, tracked as CVE-2026-4372, enables remote code execution (RCE) via malicious model configuration files. The flaw poses a severe supply chain risk, affecting developers, enterprises, and AI pipelines worldwide.
The vulnerability stems from improper handling of untrusted data in the _attn_implementation_internal attribute within a model’s config.json file. Attackers can inject this field to force the library to execute arbitrary Python code during model loading even when the trust_remote_code=False security setting is enabled, bypassing a key protection mechanism.
The issue impacts Transformers versions 4.56.0 through 5.2.x when used with the optional kernels package. Introduced in August 2025, the flaw remained exploitable until March 2026, exposing users for approximately six months. During this period, loading a malicious model from HuggingFace Hub via the from_pretrained() function could silently compromise systems.
In a typical attack, threat actors upload a model with a crafted config.json file pointing to an attacker-controlled repository. When loaded, the library automatically downloads and executes the referenced code without validation, granting attackers access to sensitive data including AWS credentials, SSH keys, API tokens, and environment variables. Exploitation also enables persistence, lateral movement, and potential compromise of CI/CD pipelines.
The attack is stealthy, producing no warnings or visible indicators, making detection difficult. With 2.2 billion installs and 146 million monthly downloads, the Transformers library’s widespread use amplifies the risk. Over one million models on HuggingFace Hub and an estimated 232 million vulnerable installations during the exposure window further expand the attack surface.
Researchers at Pluto Security highlighted that the flaw reflects a broader issue in machine learning ecosystems: treating model files and configurations as trusted inputs. Similar vulnerabilities have been observed in other frameworks, where "safe" modes fail to prevent code execution due to unaccounted internal pathways.
HuggingFace patched the issue in version 5.3.0 by blocking unsafe internal attributes and enforcing stricter kernel-loading controls. The fix now requires explicit user consent (trust_remote_code=True) for external code execution. The incident underscores the growing threat to AI supply chains as attackers increasingly target model distribution platforms.
Source: https://cybersecuritynews.com/hugging-face-rce-vulnerability/
Hugging Face cybersecurity rating report: https://www.rankiteo.com/company/huggingface
"id": "HUG1780734439",
"linkid": "huggingface",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Developers, enterprises, and AI '
'pipeline users worldwide '
'(estimated 232 million '
'vulnerable installations)',
'industry': 'Artificial Intelligence, Machine Learning',
'location': 'Global',
'name': 'HuggingFace',
'size': 'Large (2.2 billion installs, 146 million '
'monthly downloads)',
'type': 'Technology Company'}],
'attack_vector': 'Malicious model configuration files (config.json)',
'data_breach': {'data_exfiltration': 'Possible (attackers could exfiltrate '
'sensitive data)',
'file_types_exposed': 'Model configuration files '
'(config.json)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials (AWS, SSH, API '
'tokens), environment variables'},
'date_detected': '2026-03',
'date_resolved': '2026-03',
'description': 'A newly disclosed critical vulnerability in the HuggingFace '
'Transformers library, tracked as CVE-2026-4372, enables '
'remote code execution (RCE) via malicious model configuration '
'files. The flaw poses a severe supply chain risk, affecting '
'developers, enterprises, and AI pipelines worldwide. The '
'vulnerability stems from improper handling of untrusted data '
'in the `_attn_implementation_internal` attribute within a '
'model’s `config.json` file, allowing attackers to execute '
'arbitrary Python code during model loading even when '
'`trust_remote_code=False` is enabled.',
'impact': {'brand_reputation_impact': "Severe risk to HuggingFace's "
'reputation as a trusted AI model '
'repository',
'data_compromised': 'AWS credentials, SSH keys, API tokens, '
'environment variables',
'identity_theft_risk': 'High (due to exposure of sensitive '
'credentials)',
'operational_impact': 'Potential compromise of development and '
'production environments',
'systems_affected': 'AI pipelines, CI/CD pipelines, systems '
'loading malicious models'},
'initial_access_broker': {'backdoors_established': 'Automatic code execution '
'during model loading',
'entry_point': 'Malicious model uploaded to '
'HuggingFace Hub',
'high_value_targets': 'CI/CD pipelines, development '
'environments'},
'investigation_status': 'Resolved',
'lessons_learned': 'The flaw reflects a broader issue in machine learning '
'ecosystems: treating model files and configurations as '
'trusted inputs. Similar vulnerabilities have been '
"observed in other frameworks where 'safe' modes fail to "
'prevent code execution due to unaccounted internal '
'pathways.',
'post_incident_analysis': {'corrective_actions': 'Patching in version 5.3.0 '
'to block unsafe internal '
'attributes and enforce '
'stricter kernel-loading '
'controls',
'root_causes': 'Improper handling of untrusted '
'data in the '
'`_attn_implementation_internal` '
'attribute, bypassing '
'`trust_remote_code=False` security '
'setting'},
'recommendations': 'Update to Transformers version 5.3.0 or later, enforce '
'strict validation of model configuration files, and treat '
'model repositories as untrusted sources unless explicitly '
'verified.',
'references': [{'source': 'Pluto Security'}],
'response': {'containment_measures': 'Blocking unsafe internal attributes in '
'version 5.3.0',
'remediation_measures': 'Enforcing stricter kernel-loading '
'controls, requiring explicit user '
'consent (`trust_remote_code=True`) for '
'external code execution',
'third_party_assistance': 'Pluto Security (researchers who '
'highlighted the flaw)'},
'title': 'Critical RCE Vulnerability in HuggingFace Transformers Library '
'Exposes AI Supply Chains',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-4372'}