Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-5241

CVE-2026-5241: Hugging Face Transformers RCE Vulnerability

CVE-2026-5241 is a remote code execution flaw in Hugging Face Transformers 5.2.0 that allows attackers to execute arbitrary code during LightGlue model initialization. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2026-5241 Overview

CVE-2026-5241 is a remote code execution vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0. The flaw allows an attacker-controlled model repository to execute arbitrary Python code during model initialization. The trust_remote_code parameter, intended to block untrusted code execution, is overridden by serialized configuration data read from config.json. Even when a victim explicitly sets trust_remote_code=False in AutoModel.from_pretrained(), the nested LightGlueConfig propagates the attacker-supplied value into downstream AutoConfig.from_pretrained() calls.

Critical Impact

Loading a malicious LightGlue model executes attacker-provided Python modules in the host process, enabling credential theft, lateral movement, and backdoor deployment in inference servers, CI/CD pipelines, and research notebooks.

Affected Products

  • huggingface/transformers version 5.2.0
  • LightGlue model loading path (LightGlueConfig, LightGlueForKeypointMatching)
  • Downstream applications using AutoModel.from_pretrained() with LightGlue checkpoints

Discovery Timeline

  • 2026-06-03 - CVE-2026-5241 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-5241

Vulnerability Analysis

The vulnerability is an instance of inclusion of functionality from an untrusted control sphere [CWE-829]. When a user calls AutoModel.from_pretrained("attacker/model", trust_remote_code=False), the loader fetches config.json from the remote repository and instantiates LightGlueConfig. The configuration class reads a trust_remote_code field from the deserialized JSON and stores it on the config object. The model constructor then passes config.trust_remote_code into nested AutoConfig.from_pretrained() and AutoModelForKeypointDetection.from_config() calls for the keypoint detector sub-model.

The attacker can set trust_remote_code: true inside config.json, overriding the caller's explicit False value. The nested loader then imports and executes Python modules referenced by the malicious config, achieving arbitrary code execution in the victim process.

Root Cause

The root cause is a trust boundary violation: a security-relevant parameter sourced from the caller is silently replaced by attacker-controlled data deserialized from a remote file. The LightGlueConfig class treats config.trust_remote_code as authoritative rather than honoring the explicit argument supplied to the top-level from_pretrained() call.

Attack Vector

An attacker publishes a malicious LightGlue model repository on a model hub or hosts it on any URL the victim loads. When the victim, or an automated pipeline, calls AutoModel.from_pretrained() against that repository, the embedded config.json triggers loading of the attacker's custom keypoint detector code. Exploitation requires user interaction, namely loading the model, but no authentication.

python
# Patch: src/transformers/models/lightglue/modeling_lightglue.py
# Source: https://github.com/huggingface/transformers/commit/676559d5022b74aaa0cee1cee0842b7f27c5320e

 def __init__(self, config: LightGlueConfig):
     super().__init__(config)
-    self.keypoint_detector = AutoModelForKeypointDetection.from_config(
-        config.keypoint_detector_config, trust_remote_code=config.trust_remote_code
-    )
+    self.keypoint_detector = AutoModelForKeypointDetection.from_config(config.keypoint_detector_config)

     self.keypoint_detector_descriptor_dim = config.keypoint_detector_config.descriptor_decoder_dim
     self.descriptor_dim = config.descriptor_dim

The patch removes propagation of config.trust_remote_code into the nested loader, eliminating the override path. The trust_remote_code field was also removed from LightGlueConfig itself.

Detection Methods for CVE-2026-5241

Indicators of Compromise

  • Outbound network connections from Python processes immediately after from_pretrained() calls referencing LightGlue checkpoints.
  • Presence of trust_remote_code: true inside any cached config.json for LightGlue models stored under ~/.cache/huggingface/hub/.
  • Unexpected child processes (shells, package managers, curl, wget) spawned by Python workers running inference or evaluation jobs.
  • New or modified .py files in Hugging Face cache directories containing imports referenced from auto_map fields.

Detection Strategies

  • Inspect every cached config.json for LightGlue repositories and flag any with a trust_remote_code key or auto_map entries pointing to non-canonical modules.
  • Pin transformers versions in dependency manifests and alert on installations of 5.2.0 without the security patch commit 676559d.
  • Monitor Python processes for import activity originating from paths under the Hugging Face cache directory rather than site-packages.

Monitoring Recommendations

  • Log all AutoModel.from_pretrained() calls with their trust_remote_code argument and the resolved repository identifier.
  • Egress-filter ML training and inference hosts so they can only reach approved model registries.
  • Alert on shell or interpreter child processes spawned by long-running model-serving workers.

How to Mitigate CVE-2026-5241

Immediate Actions Required

  • Upgrade huggingface/transformers past version 5.2.0 to a release containing commit 676559d5022b74aaa0cee1cee0842b7f27c5320e.
  • Audit existing LightGlue model caches and delete any repositories pulled from untrusted publishers.
  • Restrict model loading in production inference servers, CI/CD runners, and notebook environments to a vetted allowlist of repository IDs.

Patch Information

The fix is in upstream commit huggingface/transformers@676559d, which removes the trust_remote_code field from LightGlueConfig and stops propagating it into nested AutoModelForKeypointDetection.from_config() calls. Additional details are tracked in the Huntr bounty report.

Workarounds

  • Until the patch is applied, do not load LightGlue checkpoints from any repository outside your organization's trust boundary.
  • Run model loading inside sandboxed containers with no outbound network access and read-only filesystems where possible.
  • Strip or validate config.json files before loading: reject any LightGlue config containing a trust_remote_code key or an auto_map field referencing remote modules.
bash
# Upgrade transformers to a patched release
pip install --upgrade 'transformers>5.2.0'

# Inspect cached LightGlue configs for malicious overrides
grep -RIl 'trust_remote_code' ~/.cache/huggingface/hub/ | xargs grep -H 'true'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne