Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution
A critical vulnerability (CVE-2026-4372) in Hugging Face Transformers allows remote code execution via malicious model configuration files, impacting millions of users and AI pipelines.
A critical vulnerability, designated CVE-2026-4372, has been discovered in the Hugging Face Transformers library, a cornerstone for many machine learning projects. This flaw permits attackers to achieve remote code execution (RCE) by crafting malicious model configuration files. The vulnerability represents a significant supply chain risk, affecting a widely adopted framework used by developers, enterprises, and AI pipelines globally.
The root cause of the issue lies in the improper handling of untrusted data within model configuration files, specifically concerning the _attn_implementation_internal attribute. Attackers can inject malicious code into a model's config.json file. When the Transformers library loads such a model, it executes arbitrary Python code, even when the trust_remote_code=False security setting is active, effectively bypassing a crucial defense mechanism.
The vulnerability impacts Hugging Face Transformers versions 4.56.0 through 5.2.x when used with the optional kernels package. The vulnerable code path was introduced in August 2025 and remained exploitable until March 2026, creating an exposure window of approximately six months. During this period, any user loading a compromised model from HuggingFace Hub using the standard from_pretrained() function was susceptible to silent compromise.
In a typical attack scenario, a threat actor would upload a seemingly legitimate model to HuggingFace Hub. This model would contain a specially crafted config.json file with the malicious _attn_implementation_internal field pointing to an attacker-controlled repository. When a victim downloads and loads this model, the Transformers library automatically fetches and imports the referenced code without adequate validation or sandboxing, leading to immediate code execution on the victim's system.
Successful exploitation grants attackers the ability to access sensitive data such as AWS credentials, SSH keys, API tokens, and environment variables. Furthermore, it can be used to establish persistence, facilitate lateral movement across internal networks, and potentially compromise CI/CD pipelines, significantly escalating the potential damage.
The attack's stealthy nature makes detection exceptionally difficult, as code execution occurs during normal model loading processes without generating visible warnings. The scale of the potential impact is vast, considering the Transformers library boasts over 2.2 billion installations and processes approximately 146 million downloads monthly. With over a million models hosted on HuggingFace Hub, the attack surface is extensive, with an estimated 232 million installations potentially vulnerable during the exposure period.
Researchers highlight that this vulnerability underscores a broader challenge within machine learning ecosystems: the tendency to treat model files and configurations as inherently trusted inputs. Similar patterns have been observed in other frameworks where security measures fail to prevent code execution due to overlooked internal pathways.
HuggingFace has addressed this critical issue by releasing version 5.3.0 of the Transformers library. The patch includes measures to block unsafe internal attributes during configuration parsing and enforces stricter controls on kernel loading. Explicit user consent via trust_remote_code=True is now required for external code execution. Organizations are strongly urged to upgrade to version 5.3.0 or later immediately, audit previously downloaded models, monitor for suspicious network activity, and isolate model execution environments to mitigate risks.