Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LMDeploy, a toolkit for compressing, deploying, and serving large language models, contains a hardcoded configuration that sets trust_remote_code=True in versions 0.12.3 and earlier. This disables the safety check that normally requires user opt‑in, allowing malicious code supplied through a Hugging Face model repository to be executed automatically during model loading. The vulnerability can lead to remote code execution or full system compromise if an attacker controls the model payload, as the code runs with the same privileges as the LMDeploy process.

Affected Systems

The affected product is InternLM’s LMDeploy, specifically all releases up to and including 0.12.3. No patch is currently available; the vulnerability exists in the pre‑0.12.3 code base.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity flaw. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the nature of the flaw—automatic loading of untrusted code—creates a high likelihood of exploitation by attackers with access to the model repository or deployment environment. The attack vector is remote, leveraging the model loading mechanism; an attacker can supply or modify a model definition that contains malicious code which will be executed during deployment.

Generated by OpenCVE AI on June 10, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure LMDeploy to set trust_remote_code=False in all deployment configurations.
  • Manually review and verify any model code before execution within LMDeploy.
  • Monitor InternLM’s release channel and apply an updated version once a patch that removes the hardcoded flag becomes available.

Generated by OpenCVE AI on June 10, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9xq9-36w5-q796 lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
History

Wed, 10 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Internlm
Internlm lmdeploy
Vendors & Products Internlm
Internlm lmdeploy

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.
Title LMDeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
Weaknesses CWE-1188
CWE-915
CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Internlm Lmdeploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:05:43.966Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:53.827

Modified: 2026-06-10T00:16:53.827

Link: CVE-2026-46517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:15:19Z

Weaknesses