Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LMDeploy, a toolkit for deploying large language models, was found to execute arbitrary code through a hardcoded trust_remote_code=True flag in several HuggingFace model-loading calls. As a result, any model supplied to LMDeploy can contain malicious code that will run with the process’s privileges during initialization. This flaw is classified as code injection and satisfies CWE‑94, exposing the entire runtime to compromise.

Affected Systems

The vulnerability affects InternLM’s lmdeploy product for all releases 0.12.3 and earlier. Systems that rely on these versions and load models from external or untrusted sources are at risk. No other vendors are listed.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity and the exploitability is enabled through model loading. The EPSS score is not available, but the vulnerability is not currently listed in CISA KEV, implying no known widespread exploitation at this time. An attacker can obtain compromise by supplying a malicious model, either locally or remotely, to an unpatched LMDeploy instance. Until a patch is released, the risk remains high and the flaw constitutes a critical exposure to the code base.

Generated by OpenCVE AI on June 10, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy LMDeploy in a sandboxed environment that limits network access to only trusted, locally vetted model files and prevents loading from external repositories.
  • Review the LMDeploy source code and remove or override the hardcoded trust_remote_code=True flag, or replace it with a safe import routine that requires explicit approval before executing model code.
  • Continuously monitor InternLM’s release channel and upgrade to a patched version as soon as it becomes available, while disabling any remote code execution features until the upgrade is performed.

Generated by OpenCVE AI on June 10, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m549-qq94-fvhg LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
History

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.
Title LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:05:38.876Z

Reserved: 2026-05-13T22:18:22.830Z

Link: CVE-2026-46432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.557

Modified: 2026-06-10T00:16:53.557

Link: CVE-2026-46432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:00:12Z

Weaknesses