Organizations using vulnerable versions of the Hugging Face Transformers library could unknowingly execute attacker-controlled code simply by loading a malicious AI model.
Researchers at Pluto disclosed a remote code execution (RCE) vulnerability that bypasses the library’s built-in trust_remote_code=False security control, potentially exposing cloud credentials, SSH keys, API tokens, and other sensitive assets.
“One poisoned field in a model’s config.json silently executes arbitrary code on anyone who loads it. No special flags. No warnings. Just the standard from_pretrained() call,” said researchers in their analysis.
Key Takeaways
- CVE-2026-4372 allows remote code execution through malicious Hugging Face model configurations, bypassing the library’s trust_remote_code=False security control.
- The vulnerability affects multiple Transformers versions when the optional kernels package is installed, a common configuration in GPU-accelerated AI environments.
- Attackers can trigger code execution through a standard from_pretrained() call, potentially exposing cloud credentials, API tokens, SSH keys, and other sensitive assets.
Inside the Hugging Face RCE Flaw
The vulnerability, tracked as CVE-2026-4372, affects multiple Hugging Face Transformers versions when the optional kernels package is installed.
Although the package is not enabled by default, it is commonly used in GPU-accelerated inference environments and is often included through the transformers[all] installation option.
Researchers said vulnerable Transformers versions were downloaded about 232 million times before a patch was released, creating supply chain risk for organizations using third-party AI models.
What Caused the Vulnerability?
The flaw originates in how Transformers processes model configuration files (config.json).
Researchers found that the library relied on a generic setattr() mechanism that applied configuration parameters directly to internal objects, including private attributes that were never intended to be influenced by untrusted input.
As a result, attackers could manipulate internal settings through a specially crafted model configuration.
How the Exploit Works
One of those settings, _attn_implementation_internal, controls attention kernel selection within the library.
By modifying this attribute to reference a malicious kernel repository hosted on Hugging Face Hub, an attacker could trigger the automatic download and import of attacker-controlled Python code.
Because this process occurred during a routine from_pretrained() operation, victims would see no unusual prompts or warnings before the malicious code executed.
Researchers noted that the flaw bypassed one of the platform’s primary security controls, the trust_remote_code=False setting, which organizations rely on to prevent untrusted code from running.
Exploitation required no special permissions, security exceptions, or additional user interaction beyond loading the model.
Proof-of-concept exploits demonstrated that attackers could access cloud credentials, API tokens, and other sensitive assets, potentially providing a foothold into enterprise infrastructure.
Reducing AI Supply Chain Risks
Because CVE-2026-4372 highlights the risks associated with AI supply chains and third-party model repositories, security teams should take steps to strengthen visibility, access controls, and monitoring across machine learning environments.
- Upgrade to the latest Transformers version, review environments that include the optional kernels package, and restrict the use of unapproved third-party AI models.
- Maintain an up-to-date software bill of materials (SBOM) and AI asset inventory to track deployed models, libraries, dependencies, and related components.
- Use isolated, sandboxed environments to evaluate external models before introducing them into production workflows.
- Implement least-privilege access controls and avoid storing long-lived credentials, API keys, or sensitive secrets on model-loading systems.
- Restrict outbound network connections and monitor for unusual model downloads, package imports, repository references, and other suspicious activity originating from machine learning infrastructure.
- Test incident response plans and use attack simulation solutions with scenarios around AI workload and supply chain compromise.
Collectively, these steps can help organizations reduce their exposure to AI supply chain threats while building resilience against attacks targeting machine learning environments and third-party model ecosystems.
AI Supply Chain Risks Are Growing
CVE-2026-4372 shows that AI models, configurations, and supporting components should be treated as part of the software supply chain, not as passive data files.
As organizations adopt more third-party models and open-source machine learning tools, attackers are finding new opportunities in model marketplaces, distribution platforms, and supposedly safe loading mechanisms.
Security controls that traditionally focused on applications, packages, and code repositories must now extend to models, configurations, and the broader AI supply chain.
One way organizations can reduce the risk posed by malicious models and other AI supply chain threats is by adopting zero trust that continuously verifies users, devices, workloads, and access requests.