CVE-2026-46517
published 2026-06-10CVE-2026-46517: LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.15%
4.4th percentile
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| internlm | lmdeploy | <= 0.12.3 | — |
| internlm | lmdeploy | 0 – 0.12.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
InternLM LMDeploy dynamically-determined object attributes (EUVD-2026-35874)
vuldb·2026-06-15·CVSS 7.8
CVE-2026-46517 [HIGH] InternLM LMDeploy dynamically-determined object attributes (EUVD-2026-35874)
A vulnerability described as problematic has been identified in InternLM LMDeploy. Affected by this issue is some unknown functionality. Executing a manipulation can lead to dynamically-determined object attributes.
This vulnerability is handled as CVE-2026-46517. The attack can be executed remotely. There is not any exploit available.
GHSA
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
ghsa·2026-05-21
CVE-2026-46517 [HIGH] CWE-94 lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
> ## 📋 Reframing (2026-05-02): implicit unsafe remote-code path, not "supply-chain"
>
> The accurate description of this vulnerability is:
> **"`get_model_arch` and related helpers hardcode `trust_remote_code=True`
> with no opt-out, creating an implicit unsafe remote-code load path
> on every model fetch."**
>
> What this report does NOT claim:
> * It is NOT a network-attack RCE — the user supplies the model
> reference; LMDeploy honors it.
> * It is NOT a "supply chain" CVE in the classical sense (where a
> benign upstream is compromised) — the user explicitly types the
> repo name.
>
> What this report DOES claim:
> * Other inference frameworks (vLLM, TGI, Hugging Face transforme
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published