A critical remote code execution vulnerability, tracked as CVE-2026-4372, has been disclosed in the widely used HuggingFace Transformers library. The flaw allows attackers to silently execute arbitrary code on a victim’s system simply by loading a malicious AI model — and it bypasses a key security control that users rely on to protect themselves. With over 2.2 billion total installs and approximately 146 million downloads per month, the scale of potential exposure is enormous.
How the Attack Works
The vulnerability stems from improper handling of untrusted data within model configuration files, specifically the _attn_implementation_internal attribute. An attacker creates a seemingly legitimate AI model on HuggingFace Hub and embeds a malicious config.json file containing this crafted field, which points to an attacker-controlled external repository.
When a victim loads the model using the standard from_pretrained() function, the Transformers library automatically downloads and executes the attacker’s code without any validation or sandboxing. Critically, this occurs even when the trust_remote_code=False security parameter is set — a setting that most developers rely on specifically to prevent this type of attack. The bypass of this explicit safety control is what elevates CVE-2026-4372 to critical severity.
What Attackers Can Do After Exploitation
Because execution occurs in the full context of the user’s environment, successful exploitation gives attackers broad access:
- Theft of AWS credentials, SSH keys, API tokens, and environment variables
- Installation of persistent backdoors and malware
- Lateral movement across development infrastructure and CI/CD pipelines
- Supply chain poisoning if the compromised system is used for model training or deployment
- Complete compromise of ML workstations, research servers, and cloud instances
The attack produces no visible warnings or error messages, making detection extremely difficult without dedicated monitoring.
Exposure Window: Six Months of Risk
The vulnerable code path was introduced in August 2025 and remained exploitable until a patch was released in March 2026, creating an exposure window of approximately six months. The flaw affected Transformers versions 4.56.0 through 5.2.x when used with the optional kernels package. Researchers at Pluto Security, who discovered and reported the vulnerability, estimate that approximately 232 million installations were vulnerable during this period.
With over one million models hosted on HuggingFace Hub, the attack surface is vast. Any of these models could theoretically contain a malicious config.json, and users loading models from the Hub during the exposure window may have already been compromised without knowing it.
The Patch and What to Do Now
HuggingFace addressed CVE-2026-4372 in Transformers version 5.3.0 by blocking unsafe internal attributes during configuration parsing and enforcing stricter controls on kernel loading. The fix ensures that external code execution now requires explicit opt-in via trust_remote_code=True.
Organizations and individual developers should take the following actions immediately:
- Upgrade to Transformers 5.3.0 or later as the top priority action.
- Audit previously downloaded models for suspicious config.json files containing the
_attn_implementation_internalattribute pointing to external URLs. - Rotate any credentials that may have been present in environments where vulnerable Transformers versions were used to load models from HuggingFace Hub.
- Isolate model loading environments using containers or sandboxed environments to limit blast radius.
- Monitor for suspicious outbound connections during model loading operations.
A Wake-Up Call for AI Supply Chain Security
CVE-2026-4372 is a landmark vulnerability for the AI security landscape. It demonstrates that ML model distribution platforms carry supply chain risks comparable to software package registries like PyPI and npm. Just as malicious PyPI packages can execute code on installation, malicious HuggingFace models can now execute code on load.
As machine learning adoption accelerates across enterprises, the assumption that model files are inert data must be abandoned. Security teams need to treat AI model loading with the same scrutiny applied to software installation — including verification, sandboxing, and behavioral monitoring. The era of trusting a model simply because it has many downloads is over.
Source: Cyber Security News | Pluto Security Research