CVE-2026-1839
published 2026-04-07CVE-2026-1839: A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()`…
PriorityP344high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.35%
26.7th percentile
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < v5.0.0rc3 | v5.0.0rc3 |
| huggingface | transformers | < 5.0.0 | 5.0.0 |
| huggingface | transformers | — | — |
| huggingface | transformers | >= 0 < 5.0.0rc3 | 5.0.0rc3 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.06.5MEDIUMCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
ghsa·2026-04-07
CVE-2026-1839 [MEDIUM] CWE-502 HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
OSV
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
osv·2026-04-07
CVE-2026-1839 [MEDIUM] HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Red Hat
transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
vendor_redhat·2026-04-07·CVSS 6.5
CVE-2026-1839 [MEDIUM] CWE-502 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
A flaw was found in HuggingFace Transformers. A remote attacker can exploit this vulnerability by supplying a specially crafted checkpoint file (e.g., `rng_state.pth`). The `_load_rng_state()` method in the `Trainer` class loads this file using `torch.load()` without proper validation, specifically missing the `weights_only=True` parameter. This issue primarily affects systems using PyTorch versions below 2.6. Successful exploitation can lead to arbitrary code execution on the system where the file is loaded.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, ap
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
bugzilla·2026-04-07·CVSS 6.5
CVE-2026-1839 [MEDIUM] CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Wiz
CVE-2026-1839 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-1839 [MEDIUM] CVE-2026-1839 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1839 :
Hugging Face Transformers vulnerability analysis and mitigation
Trainer
_load_rng_state()
src/transformers/trainer.py
torch.load()
weights_only=True
torch>=2.2
safe_globals()
rng_state.pth
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Hugging Face Transformers
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
transformers
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
2026-04-07
Published