A critical security flaw identified in the Hugging Face Transformers library, referred to as CVE-2026-4372, has been revealed to allow remote code execution (RCE) through malicious model configuration files. This vulnerability poses a significant threat to the supply chain of one of the most utilized machine learning frameworks worldwide, impacting developers, businesses, and AI processes globally.
Understanding the Vulnerability
The vulnerability arises due to inadequate management of untrusted data within model configuration files, particularly concerning the _attn_implementation_internal attribute. This flaw enables attackers to inject harmful code into a model’s configuration file, which the library executes during the model loading procedure. This risk persists even if the security measure trust_remote_code=False is applied, effectively bypassing crucial protection protocols.
The issue affects Transformers versions from 4.56.0 to 5.2.x, especially when paired with the optional kernels package. The vulnerable code was introduced in August 2025 and remained exploitable until March 2026, offering an exposure window of approximately six months. During this period, any model loaded from Hugging Face Hub using the from_pretrained() function could be silently compromised.
Exploitation and Impact
In a typical attack, a threat actor uploads a seemingly legitimate model to Hugging Face Hub, embedding a malicious config.json file that points to an attacker-controlled repository. Upon loading the model, the Transformers library downloads and executes the referenced code without validation, triggering immediate code execution on the victim’s system.
Successful exploitation allows attackers access to sensitive data such as AWS credentials, SSH keys, and API tokens, potentially compromising CI/CD pipelines and enabling lateral movement across infrastructures. The attack’s stealthy nature means it occurs without warnings, making detection challenging.
Preventive Measures and Future Outlook
The scale of exposure is extensive. With over 2.2 billion installs and 146 million monthly downloads, the Transformers library’s widespread use increases the likelihood of exploitation. Researchers have noted the broader issue within machine learning ecosystems, where model files and configurations are often mistakenly trusted.
Hugging Face has addressed the vulnerability in version 5.3.0 by blocking unsafe internal attributes and enforcing stricter controls on kernel loading. The update requires explicit user consent for external code execution via trust_remote_code=True. Organizations utilizing Transformers are strongly advised to upgrade to the latest version and audit previously downloaded models to mitigate risks.
CVE-2026-4372 highlights the growing need for securing AI supply chains. As machine learning adoption expands, attackers increasingly target model distribution platforms, transforming trusted processes into potential attack vectors. Strengthening security protocols and maintaining vigilance in model management are crucial steps forward.
