CVE-2026-4372
published 2026-05-24CVE-2026-4372: A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows…
PriorityP345high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EPSS
0.48%
37.7th percentile
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < 5.3.0 | 5.3.0 |
| huggingface | transformers | < 5.3.0 | 5.3.0 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvelistv5v3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29pf-2h5f-8g72: A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5
ghsa_unreviewed·2026-05-26
CVE-2026-4372 [HIGH] CWE-1066 GHSA-29pf-2h5f-8g72: A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is inv
VulDB
huggingface transformers up to 5.2.x config.json AutoModelForCausalLM.from_pretrained _attn_implementation_internal missing serialization control element (EUVD-2026-31598)
vuldb·2026-05-25
CVE-2026-4372 [LOW] huggingface transformers up to 5.2.x config.json AutoModelForCausalLM.from_pretrained _attn_implementation_internal missing serialization control element (EUVD-2026-31598)
A vulnerability marked as problematic has been reported in huggingface transformers up to 5.2.x. This vulnerability affects the function AutoModelForCausalLM.from_pretrained of the file config.json. This manipulation of the argument _attn_implementation_internal causes missing serialization control element.
This vulnerability is tracked as CVE-2026-4372. The attack is restricted to local execution. No exploit exists.
It is suggested to upgrade the affected component.
CVEList
Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
cvelistv5·2026-05-24·CVSS 7.8
CVE-2026-4372 [HIGH] CWE-1066 Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandbo
No detection rules found.
No public exploits indexed.
2026-05-24
Published