PatchSiren cyber security CVE debrief
CVE-2026-44827 Huggingface CVE debrief
CVE-2026-44827 is a high-severity remote code execution issue in Hugging Face diffusers versions before 0.38.0. According to the CVE description and linked vendor advisory, a specially crafted Hugging Face Hub repository can cause code to run during a normal DiffusionPipeline.from_pretrained() load, even when trust_remote_code=True was not explicitly enabled. The issue is fixed in diffusers 0.38.0.
- Vendor
- Huggingface
- Product
- Diffusers
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-19
Who should care
Security teams, ML platform operators, and developers using Hugging Face diffusers; especially anyone loading third-party or remote diffusion pipelines from the Hugging Face Hub in production, CI, notebooks, or automated model-serving workflows.
Technical summary
The vulnerability is described as a logic flaw in custom pipeline resolution. In diffusers 0.37.0 and earlier, _resolve_custom_pipeline_and_cls in pipeline_loading_utils.py interpolates custom_pipeline as f"{custom_pipeline}.py". When the kwarg is omitted, Python treats the value as None, which becomes the literal filename None.py. The trust_remote_code check in DiffusionPipeline.download() evaluates whether custom_pipeline was supplied, so the guard can be bypassed when the argument is absent. A malicious repository containing a None.py file and a standard-looking model_index.json can therefore be downloaded and imported during a routine from_pretrained() call, enabling arbitrary code execution.
Defensive priority
High. This affects a common model-loading path and can execute attacker-controlled code with only a standard repository load. Treat any environment that pulls remote models as exposed until diffusers is upgraded and repository trust controls are enforced.
Recommended defensive actions
- Upgrade Hugging Face diffusers to 0.38.0 or later.
- Audit all uses of DiffusionPipeline.from_pretrained() and similar loaders for remote or untrusted repositories.
- Restrict model loading to trusted, reviewed repositories and pinned revisions.
- Treat unexpected files in model repos, especially None.py, as suspicious and block them in review or policy checks.
- Limit outbound network access and execution privileges for systems that download and load models from the Hugging Face Hub.
Evidence notes
The assessment is based on the supplied CVE record, which lists CVE-2026-44827 as analyzed by NVD with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and version criteria ending before 0.38.0. The linked GitHub security advisory is identified as the vendor reference. No additional sources were used beyond the supplied official records and links.
Official resources
-
CVE-2026-44827 CVE record
CVE.org
-
CVE-2026-44827 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
Publicly disclosed in the supplied CVE record on 2026-05-14 and modified on 2026-05-19. The record links to the Hugging Face diffusers GitHub security advisory as the vendor reference. No CISA KEV entry was supplied.