Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
CVE-2026-5241

8HIGH

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 3 June 2026

🔔 Create Huggingface Vulnerability Alert

What is CVE-2026-5241?

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trust_remote_code parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using AutoModel.from_pretrained() with trust_remote_code=False, the LightGlueConfig reads the trust_remote_code value from the untrusted config.json file and propagates it into nested AutoConfig.from_pretrained() calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

Affected Version(s)

huggingface/transformers < 5.5.0

References

https://huntr.com/bounties/ceb3ce1a-4c45-497a-b25e-cb9a76...

https://github.com/huggingface/transformers/commit/676559...

CVSS V3.0

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-5241 Data

JSON