CVE-2026-4372 huggingface CVE debrief

Who should care

Organizations running HuggingFace transformers for production ML inference, ML platform teams, security teams monitoring AI/ML supply chains, researchers loading community models, and any system automatically processing user-submitted model configurations

Technical summary

The vulnerability exists in the deserialization path of transformers configuration files. The `_attn_implementation_internal` field, intended for internal library use, is not properly sanitized and can be weaponized to specify arbitrary HuggingFace Hub repository IDs. When `AutoModelForCausalLM.from_pretrained()` processes a malicious config.json, it triggers download and execution of attacker-controlled code without requiring `trust_remote_code=True`. The execution occurs with full victim OS privileges due to unsandboxed kernel loading. This represents a supply-chain attack vector where compromised or malicious model repositories can achieve immediate code execution on victim systems through standard ML workflows.

Defensive priority

critical

Recommended defensive actions

• Upgrade HuggingFace transformers library to version 5.3.0 or later immediately
• Audit systems for any models loaded from untrusted sources between 2026-05-24 and patch deployment
• Review model loading pipelines to implement additional validation of config.json files before AutoModel loading
• Consider implementing network egress controls to restrict unexpected HuggingFace Hub repository downloads
• Monitor for anomalous Python process execution originating from transformers library cache directories

Evidence notes

Vulnerability disclosed through Huntr bug bounty platform. Patch commit available in official transformers repository. NVD entry shows status 'Awaiting Analysis' as of source data. CVSS vector indicates local attack vector with user interaction required, though description suggests broader impact through social engineering of model loading.

Official resources