Remote Code Execution Vulnerability in Diffusers Library by Hugging Face
CVE-2026-44513

8.8HIGH

Key Information:

Vendor: Huggingface
Status: Diffusers
Vendor: CVE Published:; 14 May 2026

🔔 Create Huggingface Vulnerability Alert

What is CVE-2026-44513?

The Diffusers library, used for pretrained diffusion models, contains a vulnerability that allows remote code execution due to improper handling of the trust_remote_code setting. Even when users set trust_remote_code=False, the security check can be bypassed, leading to the execution of arbitrary code from untrusted sources. This occurs because the check is implemented incorrectly within the download function, allowing multiple attack vectors against different repository paths. The issue has been rectified in version 0.38.0.

Affected Version(s)

diffusers < 0.38.0

References

https://github.com/huggingface/diffusers/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44513 Data

JSON