CVE-2026-4372— Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
Possible ATT&CK Techniques 3AI
T1055 · Process Injection T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| huggingface | huggingface/transformers | unspecified< 5.3.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4372
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
Source: NVD (National Vulnerability Database)
Vulnerability Description
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
缺少序列化控件元素
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| huggingface | huggingface/transformers | unspecified ~ 5.3.0 | - |
II. Public POCs for CVE-2026-4372
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4372
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-4372 (1)
Vendor Advisories for CVE-2026-4372 (1)
IV. Related Vulnerabilities
Same product: huggingface/transformers
- CVE-2026-1839
Arbitrary Code Execution via Unsafe torch.load() in Trainer - CVE-2025-6921
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-6051
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-6638
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-5197
Regular Expression Denial of Service (ReDoS) in huggingface/
Same vendor: huggingface
- CVE-2026-44827
Diffusers: None.py Trust Remote Code Bypass - CVE-2026-44513
Diffusers: `trust_remote_code` bypass via `custom_pipeline` - CVE-2026-1839
Arbitrary Code Execution via Unsafe torch.load() in Trainer - CVE-2026-4963
huggingface smolagents Incomplete Fix CVE-2025-9959 local_py - CVE-2026-2654
huggingface smolagents LocalPythonExecutor requests.post ser
V. Comments for CVE-2026-4372
No comments yet