HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46432Published Modified CNA GitHub_M

CVE-2026-46432: LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary code execution vulnerability exists in LMDeploy (versions 0.12.3 and earlier) caused by the toolkit hardcoding trust_remote_code=True across multiple HuggingFace model-loading call sites. Any code embedded in a remote model repository is automatically executed without user consent or review when a model is loaded. An attacker who controls or compromises a model repository can achieve full code execution in the context of the loading process, giving them access to read secrets, modify files, or disrupt the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46432 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle LMDeploy 0.12.3 or earlier.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and can weight that score against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published for CVE-2026-46432, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment InternLM ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required to trigger model loading.

  • AuthenticationRequired

    A low-privilege local account is sufficient; any user able to invoke LMDeploy model-loading code can trigger execution of remote model code.

  • Victim interactionNot required

    No victim interaction is needed; exploitation occurs automatically when LMDeploy loads a model from an attacker-controlled repository.

  • Attack complexityDetail

    Attack complexity is low: exploitation is reliable and requires no race conditions, specific memory layout, or other environmental prerequisites beyond a malicious model repository being loaded.

Blast Radius

  • Reads secrets, API keys, and environment variables accessible to the LMDeploy process.
  • Writes or modifies files on disk within the permissions of the running process, including model weights, configuration files, and application code.
  • Crashes or destabilizes the LMDeploy serving process, causing a denial of service for inference workloads depending on it.
  • Pivots to other services or credentials reachable from the host if the process runs with broad network or filesystem access.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all images in customer registries and CI pipelines, including internally built images that bundle LMDeploy. Because no upstream patch exists at the time of publication, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once InternLM publishes a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with no manual step required. While no fix is available, compensating controls worth considering include restricting the model-loading process to a network-isolated container with egress filtering to prevent outbound connections from loaded model code, applying least-privilege execution so the LMDeploy process cannot reach sensitive credentials or adjacent services, and gating model loads behind an allowlist of reviewed repository hashes at the infrastructure level. Where compliance policy requires sign-off before auto-remediation, HarborGuard routes the finding to the appropriate owner inbox so the team can apply manual controls in the interim.

See how HarborGuard automates this
Affected packages
  • InternLM / lmdeploy
    <= 0.12.3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References