Malicious Hugging Face Models Could Trigger Remote Code Execution

Organizations using vulnerable versions of the Hugging Face Transformers library could unknowingly execute attacker-controlled code simply by loading a malicious AI model.

Researchers at Pluto disclosed a remote code execution (RCE) vulnerability that bypasses the library’s built-in trust_remote_code=False security control, potentially exposing cloud credentials, SSH keys, API tokens, and other sensitive assets.

“One poisoned field in a model’s config.json silently executes arbitrary code on anyone who loads it. No special flags. No warnings. Just the standard from_pretrained() call,” said researchers in their analysis.

Key takeaways from the vulnerability

• CVE-2026-4372 allows remote code execution through malicious Hugging Face model configurations, bypassing the library’s trust_remote_code=False security control.
• The vulnerability affects multiple Transformers versions when the optional kernels package is installed, which is common in GPU-accelerated AI environments.
• Attackers can trigger code execution through a standard from_pretrained() call, potentially exposing cloud credentials, API tokens, SSH keys, and other sensitive assets.

Inside the Hugging Face RCE flaw

The vulnerability, tracked as CVE-2026-4372, affects multiple versions of Hugging Face Transformers when the optional kernels package is installed.

Although the package is not enabled by default, it is commonly used in GPU-accelerated inference environments and is often included through the transformers[all] installation option.

Researchers said vulnerable Transformers versions were downloaded about 232 million times before a patch was released, creating supply chain risk for organizations using third-party AI models.

What caused the vulnerability?

The flaw originates in how Transformers processes model configuration files (config.json).

Researchers found that the library relied on a generic setattr() mechanism that applied configuration parameters directly to internal objects, including private attributes that were never intended to be influenced by untrusted input.

As a result, attackers could manipulate internal settings through a specially crafted model configuration.

How the exploit works

One of those settings, _attn_implementation_internal, controls the selection of attention kernels within the library.

By modifying this attribute to reference a malicious kernel repository hosted on Hugging Face Hub, an attacker could trigger the automatic download and import of attacker-controlled Python code. Because this process occurred during a routine from_pretrained() operation, victims would see no unusual prompts or warnings before the malicious code executed.

Researchers noted that the flaw bypassed one of the platform’s primary security controls, the trust_remote_code=False setting, which organizations rely on to prevent untrusted code from running.

Exploitation required no special permissions, security exceptions, or additional user interaction beyond loading the model.

Proof-of-concept exploits demonstrated that attackers could access cloud credentials, API tokens, and other sensitive assets, potentially providing a foothold into enterprise infrastructure.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Reducing AI supply chain risks

Because CVE-2026-4372 highlights the risks associated with AI supply chains and third-party model repositories, security teams should strengthen visibility, access controls, and monitoring across machine learning environments.

• Upgrade to the latest Transformers version, review environments that include the optional kernels package, and restrict the use of unapproved third-party AI models.
• Maintain an up-to-date software bill of materials (SBOM) and AI asset inventory to track deployed models, libraries, dependencies, and related components.
• Use isolated, sandboxed environments to evaluate external models before introducing them into production workflows.
• Implement least-privilege access controls and avoid storing long-lived credentials, API keys, or sensitive secrets on model-loading systems.
• Restrict outbound network connections and monitor for unusual model downloads, package imports, repository references, and other suspicious activity originating from machine learning infrastructure.
• Test incident response plans and use attack-simulation solutions with scenarios focused on AI workloads and supply chain compromise.

Collectively, these steps can help organizations reduce their exposure to AI supply chain threats while building resilience against attacks targeting machine learning environments and third-party model ecosystems.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.