Description
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Published: 2026-04-07
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the HuggingFace Transformers library’s Trainer class where a call to torch.load() in the _load_rng_state() method omits the weights_only=True parameter, enabling arbitrary code execution when a malicious checkpoint file is loaded. The flaw is attributable to CWE-502. An attacker who can supply a crafted checkpoint can execute code on the system executing the trainer, potentially compromising confidentiality, integrity, and availability.

Affected Systems

All versions of transformers that support torch≥2.2 and are used with PyTorch below 2.6 are affected. The issue is fixed in version v5.0.0rc3. The affected product is HuggingFace Transformers, a popular open‑source library for natural language processing.

Risk and Exploitability

The CVSS base score of 7.8 reflects a high severity, and the EPSS score of less than 1 % indicates a low likelihood of exploitation on the global scale; it is not listed in CISA’s KEV catalog. The attack requires an attacker to supply a malicious checkpoint file, usually through an untrusted model or data source, so the primary vectors are compromised model artifacts or data pipelines. Because the flaw manifests during model checkpoint loading, it can be mitigated by ensuring only trusted checkpoint files are used and by applying the vendor patch. The overall risk is moderate to high for organizations that routinely load external checkpoints and therefore should act promptly.

Generated by OpenCVE AI on April 28, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HuggingFace Transformers to version v5.0.0rc3 or later.
  • If upgrading cannot be performed immediately, do not load any checkpoint files from untrusted sources.
  • When loading checkpoints, enforce weights_only=True or execute the load in a sandboxed environment to limit malicious code execution.
  • Verify the integrity of checkpoint files before use and monitor training processes for anomalous behavior.

Generated by OpenCVE AI on April 28, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69w3-r845-3855 HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
History

Tue, 28 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*
cpe:2.3:a:huggingface:transformers:5.0.0:rc0:*:*:*:*:*:*
cpe:2.3:a:huggingface:transformers:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:huggingface:transformers:5.0.0:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Huggingface
Huggingface transformers
Vendors & Products Huggingface
Huggingface transformers

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Title Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H'}

Subscriptions

Huggingface Transformers
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-07T13:27:41.789Z

Reserved: 2026-02-03T16:49:27.781Z

Link: CVE-2026-1839

cve-icon Vulnrichment

Updated: 2026-04-07T13:27:31.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T06:16:41.490

Modified: 2026-04-28T16:39:31.917

Link: CVE-2026-1839

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T05:22:00Z

Links: CVE-2026-1839 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses