A critical remote code execution vulnerability in Hugging Face’s Transformers library allowed attackers to run arbitrary code on a victim’s machine simply by loading a malicious AI model.
The flaw, tracked as CVE-2026-4372, bypassed the trust_remote_code=False security setting, meaning even organizations following Hugging Face’s recommended guidance were vulnerable.
An attacker needed only to embed a malicious payload into a model’s configuration file. Loading that model with from_pretrained() would execute the code without any warning.
Transformers is one of the most widely used AI packages, with over 2.2 billion total downloads and roughly 146 million monthly downloads. Pluto Security estimates the vulnerable versions were downloaded 232 million times in the six months the flaw was active.
The bug affected versions 4.56.0 through 5.2.x, first appearing in version 4.56.0 released on August 29. A silent compromise could allow attackers to steal cloud credentials, API keys, SSH keys, Kubernetes configurations, database credentials, source code, and proprietary datasets.
“Organizations have spent years building policies around the idea that keeping trust_remote_code disabled makes model loading safe,” said Yotam Perkal, director of security research at Pluto Security. “This vulnerability showed that assumption could be broken.”
Pluto reported the issue to Hugging Face in February. The fix came in Transformers version 5.3.0, released March 4, which blocks attacker-controlled configuration values from reaching the vulnerable code path and requires explicit user consent before loading untrusted external kernels.
Hugging Face recommends upgrading to version 5.3.0 or later, auditing cached model configurations, and treating model loading as a code execution surface.