Critical Hugging Face Transformers RCE (CVE-2026-4372) bypasses trust_remote_code on standard model loads

Hugging Face users running the Transformers library below version 5.3.0 are exposed to a critical remote-code-execution vulnerability that turns a routine model load into attacker-controlled Python execution — and it fires whether or not the developer flipped trust_remote_code off. NIST's National Vulnerability Database published CVE-2026-4372 on May 24, 2026 with a CVSS base score of 7.8 (High). The flaw is fixed in Transformers 5.3.0; every prior version is affected.

What's new

CVE-2026-4372 lets a malicious model author embed an _attn_implementation_internal field in config.json that points at an arbitrary Hugging Face Hub repository. When the victim calls the standard AutoModelForCausalLM.from_pretrained() API, the library downloads and executes Python code from that repo with the user's full OS privileges. From the NVD entry:

"The vulnerability allows an attacker to craft a malicious config.json file containing the _attn_implementation_internal field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard AutoModelForCausalLM.from_pretrained() API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges."

NVD attributes the bug to three concrete root causes: unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The bypass works without trust_remote_code=True — the toggle most organizations treat as the load-bearing safety control when consuming third-party models. The reference fix is a single Transformers commit (a7f8e7f), and the issue was reported through the huntr.com bounty program (bounty ID 1f693a6e-6836-4b8b-a0bd-ca036fba8884). Per third-party reporting the patched 5.3.0 release shipped well ahead of the public CVE assignment in May.

Context

trust_remote_code has been the de-facto security boundary for the Hugging Face ecosystem since the parameter was introduced: leave it False, and the library is supposed to refuse to execute repo-supplied Python on model load. That assumption underwrites internal AI-security policies at most companies that pull weights from the Hub — penetration testers and platform teams have, for years, treated "models loaded with trust_remote_code=False" as the safe lane. CVE-2026-4372 falsifies that assumption for every Transformers install older than 5.3.0, which is a large fraction of production AI inference and fine-tuning code paths in the wild.

The CVE follows a string of supply-chain incidents on AI model registries — typo-squatted weights, pickle-based payloads, tokenizer-level execution paths — but is notable for hitting the official, documented loading API rather than a fringe loading pattern. CVSS rates user interaction as required (UI:R) because the victim must initiate the model load, but loading a third-party model is, of course, the entire point of the Hub.

Why it matters

For practitioners, three things stand out from the NVD entry as written:

• The exploit hides behind the standard from_pretrained call, so any pipeline that pulls models by ID — RAG stacks, eval harnesses, fine-tuning jobs, agent frameworks — is in scope until upgraded.
• The patched version (5.3.0) was already cut by the time the CVE was published, so the remediation is a version bump, not a workaround.
• Because trust_remote_code=False did not block the attack, grepping for that flag in code review is not a sufficient compensating control on un-upgraded versions.

The broader signal is that "execution-from-config" remains a live class of bug in AI tooling, and that the security model of the AI model registry is still being learned in production. Expect more conservative defaults from Transformers on the next few releases — likely tighter allowlists on which config fields can reference external repositories — and expect AI platform teams to add Transformers version pinning to their dependency-scanning baselines if they haven't already.