Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
A critical unauthenticated remote code execution vulnerability (CVE-2026-25874, CVSS 9.3) has been disclosed in Hugging Face's LeRobot open-source robotics platform, with no patch currently available.
A critical security flaw has been disclosed in Hugging Face's LeRobot, an open-source robotics platform with nearly 24,000 GitHub stars. Tracked as CVE-2026-25874 and carrying a CVSS score of 9.3, the vulnerability allows unauthenticated attackers to achieve remote code execution on systems running the platform. The issue stems from unsafe deserialization using the pickle format over unauthenticated gRPC channels in the PolicyServer component.
According to a GitHub advisory, the flaw exists in the async inference pipeline, where `pickle.loads()` is used to deserialize data received without TLS authentication. An attacker can send a crafted pickle payload through `SendPolicyInstructions`, `SendObservations`, or `GetActions` gRPC calls to execute arbitrary operating system commands on the host machine. The vulnerability has been successfully validated against LeRobot version 0.4.3.
Security firm Resecurity highlighted the danger, noting that the service is designed for AI inference systems, which often run with elevated privileges to access internal networks, datasets, and expensive compute resources. Exploitation could lead to complete compromise of the PolicyServer host, impact connected robots, enable theft of sensitive data such as API keys and SSH credentials, and allow lateral movement across the network. Attackers could also crash services, corrupt models, or sabotage operations, posing physical safety risks.
The issue currently remains unpatched, with a fix planned for version 0.6.0. Interestingly, the same flaw was independently reported by another researcher in December 2025. The LeRobot team acknowledged the security risk in January 2026, noting that the affected codebase requires a near-total refactoring due to its experimental origins. Steven Palma, tech lead of the project, stated that deployment security has not been a strong focus until now, but as LeRobot is adopted in production, the team will pay closer attention to such issues.
This vulnerability once again exposes the dangers of using the pickle format, which can lead to arbitrary code execution simply by loading a specially crafted file. Security researcher Valentin Lobstein, who discovered and published additional details, noted the irony: Hugging Face created Safetensors specifically because pickle is dangerous for ML data, yet their own robotics framework deserializes attacker-controlled network input with `pickle.loads()` and includes `# nosec` comments to silence security warnings.
Organizations using LeRobot in production or research environments are advised to isolate the PolicyServer component from untrusted networks and monitor for updates. The disclosure underscores the growing security challenges as open-source AI and robotics tools transition from experimental projects to production deployments.