CVE-2026-4372 Overview
CVE-2026-4372 is a remote code execution vulnerability affecting all versions of the HuggingFace transformers library prior to 5.3.0. Attackers craft a malicious config.json file containing the _attn_implementation_internal field that references an attacker-controlled HuggingFace Hub repository. When a victim loads the model through the standard AutoModelForCausalLM.from_pretrained() API, the library downloads and executes arbitrary Python code with the victim's OS privileges. The exploit bypasses the trust_remote_code safety mechanism, executes silently, and abuses the documented usage pattern. Maintainers released version 5.3.0 to remediate the issue.
Critical Impact
Loading an untrusted model triggers silent arbitrary code execution with the user's full privileges, bypassing the trust_remote_code safeguard.
Affected Products
- HuggingFace transformers library, all versions prior to 5.3.0
- Applications calling AutoModelForCausalLM.from_pretrained() on untrusted models
- Python environments consuming HuggingFace Hub repositories
Discovery Timeline
- 2026-05-24 - CVE-2026-4372 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-4372
Vulnerability Analysis
The vulnerability resides in how transformers processes the _attn_implementation_internal attribute inside a model's config.json. The library treats this internal field as an authoritative pointer to a kernel implementation hosted on the HuggingFace Hub. When a user invokes AutoModelForCausalLM.from_pretrained(), the loader downloads the referenced repository and executes its Python code in-process. The execution path runs outside the protections offered by trust_remote_code, so users who explicitly leave that flag disabled still execute attacker-controlled code. The flaw is categorized under [CWE-1066], reflecting missed validation during object construction. Because configuration loading is silent and required for normal operation, victims observe no indicator of compromise during exploitation.
Root Cause
Three defects combine to enable exploitation. First, the deserializer copies arbitrary attributes from config.json into the model configuration object without filtering internal fields. Second, the kernel-resolution logic accepts a Hub repository identifier as a valid implementation reference. Third, the downloaded kernel executes in the host Python interpreter without sandboxing. Together these conditions transform configuration parsing into a code execution primitive.
Attack Vector
An attacker publishes a model repository on HuggingFace Hub containing a crafted config.json whose _attn_implementation_internal value points to a second attacker-controlled repository that hosts a Python kernel. The attacker then promotes the model through community channels, forks, or typosquatted names. When a victim loads the model with the standard from_pretrained() call, the library resolves the malicious attribute, downloads the kernel, and executes its __init__ and module-level code with the calling process's privileges. No prompt, dialog, or trust_remote_code=True confirmation is required, which is why the issue is invisible to the victim.
// No verified proof-of-concept code is published.
// Refer to the Huntr bounty report and upstream commit for technical specifics:
// https://huntr.com/bounties/1f693a6e-6836-4b8b-a0bd-ca036fba8884
// https://github.com/huggingface/transformers/commit/a7f8e7ff37d87d1a1a0c8cf607971c607741452f
Detection Methods for CVE-2026-4372
Indicators of Compromise
- Presence of _attn_implementation_internal referencing an external Hub repository in any cached config.json under ~/.cache/huggingface/hub/.
- Unexpected outbound HTTPS traffic to huggingface.co during model load that retrieves Python files from a repository different from the model itself.
- Python child processes spawned by training, inference, or notebook sessions immediately after a from_pretrained() call.
Detection Strategies
- Statically scan downloaded config.json files for the _attn_implementation_internal key before model load and reject any that point to remote repositories.
- Audit dependency manifests for installed transformers versions and flag any release earlier than 5.3.0.
- Apply [CWE-1066] inspired rules in code-review tooling to catch unfiltered deserialization of configuration attributes.
Monitoring Recommendations
- Log all HuggingFace Hub downloads with repository identifiers and correlate them against the model the user intended to load.
- Alert on Python interpreters that initiate shell, network, or filesystem activity within seconds of a transformers model load.
- Review SaaS notebook and ML platform telemetry for new outbound destinations triggered by data science workloads.
How to Mitigate CVE-2026-4372
Immediate Actions Required
- Upgrade transformers to version 5.3.0 or later across all training, inference, and developer environments.
- Inventory cached models and remove any config.json containing _attn_implementation_internal until the value can be validated.
- Restrict model sources to a vetted internal mirror or pinned repository allowlist.
Patch Information
The upstream fix is committed in HuggingFace Transformers commit a7f8e7ff and shipped in release 5.3.0. The patch filters internal configuration fields during deserialization and removes the implicit kernel download path. Additional context is available in the Huntr Bounty Report.
Workarounds
- Run model-loading workloads inside a network-isolated container that blocks egress to the HuggingFace Hub except for an approved proxy.
- Pre-process config.json files to strip the _attn_implementation_internal field before passing models to from_pretrained().
- Execute untrusted model loads under a least-privilege service account that cannot access source code, credentials, or production data.
# Configuration example: upgrade transformers and verify the installed version
pip install --upgrade "transformers>=5.3.0"
python -c "import transformers; print(transformers.__version__)"
# Sanity check a downloaded config.json for the offending field
grep -R "_attn_implementation_internal" ~/.cache/huggingface/hub/ || echo "clean"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
