Malicious Hugging Face Models Could Trigger Remote Code Execution

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-4372, has been discovered in the Hugging Face Transformers library. Disclosed by Pluto Security Inc., the flaw allows malicious AI models to run arbitrary code on a user’s system during routine loading, effectively bypassing the trust_remote_code=False security setting designed to prevent such attacks.

The discovery highlights a significant weakness in the AI software supply chain. Because the Transformers library is a cornerstone of modern machine learning development, the ability for an attacker to execute code through a standard model-loading command presents a high-stakes risk to developers, researchers, and large-scale enterprises alike.

How does the CVE-2026-4372 vulnerability work?

The vulnerability is triggered through the standard from_pretrained() command, a routine function used by developers to load pre-trained models into their workflows. Under normal circumstances, security-conscious organizations use the trust_remote_code=False parameter to ensure that the library does not execute any custom code bundled with a model downloaded from the Hugging Face Hub. This setting is intended to act as a firewall, allowing only the library’s vetted code to run.

However, CVE-2026-4372 renders this safeguard ineffective. According to findings from Pluto Security Inc., an attacker can slip a malicious payload directly into a model’s configuration file. When the library attempts to parse this file during a routine load, the payload executes on the victim’s machine. Crucially, this process occurs without any warning, prompts, or visible errors on the user’s screen, making it nearly impossible for a developer to detect the intrusion through standard observation.

This method of attack is particularly insidious because it circumvents the manual scrutiny that previously defined AI security. While earlier attacks often required users to be tricked into running suspicious scripts or unfamiliar loaders, this flaw integrates the exploit into the very foundation of the model-loading process itself.

What is the scale of the Hugging Face Transformers risk?

The potential impact of this vulnerability is massive, given the ubiquity of the Transformers library in the artificial intelligence ecosystem. The package has been downloaded more than 2.2 billion times to date and currently sees approximately 146 million downloads every month. Because the library is a fundamental building block for everything from simple chatbots to complex enterprise AI, the attack surface is incredibly broad.

Pluto Security’s analysis suggests that the flaw has been active for a significant period. The vulnerability first appeared in version 4.56.0, which was released on August 29, 2025. Every subsequent release carried the flaw until a patch was implemented. Pluto estimates that vulnerable versions of the library were downloaded approximately 232 million times during the six-month window in which the flaw was live.

This scale of exposure underscores the “supply chain” nature of the threat. In modern AI development, developers rarely write every line of code from scratch; they rely on a massive web of interconnected libraries and pre-trained models. A single compromise in a foundational package like Transformers can cascade through thousands of downstream applications, exposing sensitive credentials, proprietary data, and entire computing environments to unauthorized access.

Which versions of the library are affected?

Not every user of the Transformers library is at risk, as the exploit requires specific environmental conditions to succeed. The vulnerability specifically affects versions 4.56.0 through 5.2.x, but only on systems where the kernels package is also installed. This technical dependency is a critical detail for system administrators and DevOps engineers to verify when assessing their exposure.

For organizations running these specific version ranges with the necessary package installed, the immediate priority is to ensure they have moved to a patched version of the library. Because the flaw can be triggered by a routine download, simply pulling a model from the Hub can be enough to compromise a system if the underlying library is unpatched.

Vulnerability Summary

• Identifier: CVE-2026-4372
• Vulnerability Type: Remote Code Execution (RCE)
• Primary Target: Hugging Face Transformers library
• Affected Versions: 4.56.0 through 5.2.x (with kernels package installed)
• Exploit Method: Malicious payloads in model configuration files via from_pretrained()
• Security Bypass: Defeats trust_remote_code=False setting

What does this mean for AI supply chain security?

The disclosure of CVE-2026-4372 serves as a wake-up call for the industry regarding the maturity of AI security protocols. For years, the prevailing wisdom in the machine learning community has been that disabling remote code execution is a sufficient defense against malicious models. This flaw proves that even “safe” configurations can be bypassed by sophisticated payloads hidden in metadata.

“Organizations have spent years building policies around the idea that keeping trust_remote_code disabled makes model loading safe,” said Yotam Perkal, director of security research at Pluto Security. This sentiment highlights a growing gap between the rapid deployment of AI tools and the security frameworks required to govern them.

As the AI ecosystem continues to grow, the risk of supply chain attacks is expected to increase. Attackers are no longer just looking for ways to trick humans; they are looking for ways to exploit the automated, programmatic ways that AI models are integrated into production environments. This requires a shift toward zero-trust architectures, where even “trusted” libraries and configuration files are treated with a high degree of suspicion and undergo rigorous automated scanning.

Beyond simple code execution, the implications of such a flaw include the potential for credential theft, lateral movement within corporate networks, and the corruption of training datasets. For companies building proprietary models, the ability for an attacker to gain access to the environment where training occurs could lead to the theft of invaluable intellectual property.

Security researchers recommend that all AI development teams implement more robust monitoring of their execution environments and move toward more isolated, containerized workflows when loading third-party models. While patching the library is the first step, the long-term solution involves a fundamental rethink of how trust is established in the AI software lifecycle.

Developers should continue to monitor official Hugging Face security advisories and documentation for the most recent guidance on safe model loading practices. As the industry moves toward more standardized security protocols, the focus will likely shift from simple configuration toggles to more comprehensive, multi-layered defense strategies.

The next major checkpoint for this issue will be the rollout of comprehensive security audits for the most widely used models on the Hugging Face Hub to identify any existing malicious payloads that may have been uploaded during the period the flaw was active. We will continue to monitor for updates regarding patch stability and any new findings from the security research community.

What are your thoughts on the evolving security of AI supply chains? Do you think current safety settings are sufficient? Share your views in the comments below and share this article with your tech network.