Remote Code Execution Vulnerability in Hugging Face's Text Generation Inference

CVE-2026-0599

What is CVE-2026-0599?

A flaw in Hugging Face's text-generation-inference version 3.3.6 permits unauthenticated remote attackers to exploit unbounded fetching of external images during input validation. The vulnerability is triggered when the application scans for Markdown image links, resulting in the application executing a blocking HTTP GET request. This process can lead to severe resource exhaustion, impacting network bandwidth, memory, and CPU usage. Notably, the issue persists even if the request ultimately exceeds token limits and is denied. The default settings, which do not impose strict limits on memory usage or require authentication, further escalate the risk, potentially leading to severe performance degradation or even system crashes. This vulnerability is addressed in version 3.3.7.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References