PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44513 huggingface CVE debrief

CVE-2026-44513 is a high-severity arbitrary code execution vulnerability in Hugging Face Diffusers, a popular Python library for pretrained diffusion models. The flaw exists in versions prior to 0.38.0 and stems from an architectural defect in how the `trust_remote_code` security gate was implemented. Rather than enforcing the check at the point of dynamic module loading, the gate was placed inside `DiffusionPipeline.download()`, allowing multiple code paths to bypass the security control entirely. Three distinct attack vectors enable remote code execution even when `trust_remote_code=False` (the default): (1) specifying a `custom_pipeline` from an attacker-controlled repository causes the gate to evaluate against the base repository's file list rather than the custom pipeline's; (2) loading from a local path with a `custom_pipeline` skips `download()` entirely, bypassing the gate; and (3) local snapshots containing custom component files referenced in `model_index.json` execute without security validation. The vulnerability was published on May 14, 2026, and modified on May 19, 2026. It carries a CVSS 3.1 score of 8.8 (HIGH) with network attack vector, low complexity, no privileges required, and high impacts to confidentiality, integrity, and availability. The root cause is classified as CWE-94 (Improper Control of Generation of Code). Organizations using Diffusers should upgrade to version 0.38.0 or later immediately, as this release contains the fix that properly relocates the security check to the dynamic module loading site.

Vendor
huggingface
Product
diffusers
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-19
Advisory published
2026-05-14
Advisory updated
2026-05-19

Who should care

Organizations running machine learning inference pipelines with Hugging Face Diffusers, particularly those loading models from public repositories or using custom pipeline components. Security teams responsible for ML supply chain security, MLOps engineers managing model deployment infrastructure, and developers building applications on Diffusers should prioritize this patch due to the trivial exploitability and high impact of arbitrary code execution in ML runtime environments.

Technical summary

The vulnerability arises from a trust boundary violation (CWE-94) where the `trust_remote_code` security control was implemented at the wrong architectural layer. In affected versions, `DiffusionPipeline.from_pretrained()` accepts a `trust_remote_code` parameter defaulting to False, intended to prevent execution of untrusted remote code. However, the actual enforcement occurred inside `download()`, not at the module loading site. This design flaw creates three bypass conditions: first, when `custom_pipeline='attacker/repoB'` is specified alongside a base repository, the gate evaluates repoA's files while repoB's pipeline.py executes; second, local path loading (`/local/snapshot`) with `custom_pipeline` never invokes `download()`, completely skipping the gate; third, local snapshots with custom component files (e.g., unet/my_unet_model.py) referenced in model_index.json execute without validation. All variants achieve arbitrary code execution with the privileges of the Diffusers process. The fix in 0.38.0 relocates the security check to the actual dynamic module loading site, ensuring consistent enforcement regardless of code path.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Hugging Face Diffusers to version 0.38.0 or later immediately to obtain the fix that relocates the trust_remote_code security check to the dynamic module loading site
  • Audit existing model loading code for use of custom_pipeline parameters or local path loading patterns that may have been exploited prior to patching
  • Review and restrict repository sources for diffusion models to trusted, verified publishers only
  • Implement network egress controls on systems running Diffusers to limit outbound connections to untrusted model repositories
  • Monitor for anomalous code execution or unexpected network connections from Diffusers-based applications
  • If immediate patching is not feasible, avoid loading models from untrusted sources and disable custom_pipeline usage until upgrade is complete

Evidence notes

Vulnerability description and technical details sourced from NVD record and GitHub Security Advisory GHSA-98h9-4798-4q5v. CVSS vector and CPE criteria confirm affected versions below 0.38.0. CWE-94 classification provided by [email protected].

Official resources

2026-05-14T17:16:22.903Z