Critical severity9.8NVD Advisory· Published Apr 23, 2026· Updated Apr 28, 2026

CVE-2026-25874

Description

LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.

Affected products

Huggingface/Lerobot
cpe:2.3:a:huggingface:lerobot:*:*:*:*:*:python:*:*
Range: <=0.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/huggingface/lerobot/pull/3048nvdIssue TrackingPatch
chocapikk.com/posts/2026/lerobot-pickle-rce/nvdExploitMitigationThird Party Advisory
github.com/huggingface/lerobot/issues/3047nvdExploitIssue TrackingThird Party Advisory
www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpcnvdThird Party AdvisoryExploit
github.com/huggingface/lerobot/issues/3134nvdIssue Tracking

News mentions

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
The Hacker News · Apr 28, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000