Description
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unvalidated model path input in the WebUI of LLaMA-Factory allows a remote attacker with WebUI access to chain the AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() calls with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary Python code from a remote or local model repository. This gives the attacker the full privileges of the server process, leading to complete system compromise.

Affected Systems

The vulnerability affects the hiyouga LlamaFactory product up to and including version 0.9.5. No other releases were listed as impacted.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical, and the lack of an EPSS score means the likelihood of exploitation is undetermined. The vulnerability is not present in the CISA KEV catalog, but attackers only need WebUI access and can supply an arbitrary model path to trigger the exploit. The exploitation path is straightforward and does not require additional privileges beyond those granted by the WebUI.

Generated by OpenCVE AI on June 30, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest LLaMA-Factory release that includes the patch for this vulnerability.
  • If an upgrade is not feasible, modify the code to remove or disable the trust_remote_code=True parameter when loading models from AutoTokenizer.from_pretrained() and AutoModel.from_pretrained().
  • Restrict WebUI access to authenticated and trusted personnel, applying strict role‑based access controls.
  • Implement input validation to ensure only approved model paths are accepted by the WebUI.

Generated by OpenCVE AI on June 30, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
Title LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path
Weaknesses CWE-829
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T14:06:16.566Z

Reserved: 2026-06-29T14:13:18.383Z

Link: CVE-2026-58116

cve-icon Vulnrichment

Updated: 2026-06-30T14:06:11.441Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')