Description
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
Published: 2026-06-03
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the LightGlue model loading mechanism of huggingface/transformers allows an attacker to execute arbitrary Python code during model initialization. The bug stems from the trust_remote_code flag being overwritten by untrusted data in a nested configuration path, so even when the flag is set to False, malicious code can be loaded. This results in a high‑impact remote code execution vulnerability that can lead to credential theft, lateral movement, or persistence on systems that load untrusted models.

Affected Systems

The vulnerability affects the huggingface/huggingface‑transformers product, specifically versions that include the LightGlue implementation, with the issue documented in version 5.2.0. Users of earlier or subsequent releases that contain the fix are not affected. This includes any environment that loads LightGlue models via AutoModel.from_pretrained, such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers.

Risk and Exploitability

The CVSS score is 8, indicating high severity. The EPSS score is not available, so the current exploitation likelihood is unknown, but the lack of a KEV listing does not preclude active attacks. The vulnerability can be exploited by any party that can supply a model repository, either by hosting a malicious model or by coercing a user to load it. Because the trust_remote_code parameter is ultimately overridden by the model’s own configuration, the attack vector is a relatively simple supply‑chain attack that does not require privileged access or additional vulnerabilities.

Generated by OpenCVE AI on June 3, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade huggingface/transformers to the latest released version that includes the patched LightGlue initialization logic.
  • Run all model loading in a restricted, isolated environment (e.g., sandboxed container) to limit the impact of any code that may still execute.
  • Enforce a strict policy that only trusted model repositories are used; manually verify config.json files or disable nested configuration loading whenever possible.

Generated by OpenCVE AI on June 3, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.
Title Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
Weaknesses CWE-829
References
Metrics cvssV3_0

{'score': 8, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-03T15:45:36.684Z

Reserved: 2026-03-31T14:26:14.353Z

Link: CVE-2026-5241

cve-icon Vulnrichment

Updated: 2026-06-03T15:45:33.083Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:46.337

Modified: 2026-06-03T16:16:31.393

Link: CVE-2026-5241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:30:26Z

Weaknesses