HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46517Published Modified CNA GitHub_M

CVE-2026-46517: LMDeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unsafe remote-code execution path in LMDeploy (versions 0.12.3 and prior), a toolkit for compressing, deploying, and serving large language models. The vulnerability arises because LMDeploy hardcodes trust_remote_code=True when loading Hugging Face models, meaning any model artifact that contains custom Python code will have that code executed automatically, with no option for the user to opt out. Successful exploitation allows an attacker who controls a malicious model artifact to execute arbitrary code on the host running LMDeploy. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle LMDeploy 0.12.3 or earlier.

Available
Triage

HarborGuard scores this finding at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment InternLM ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard's policy engine as described below.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker does not need remote network access; they need an existing shell or process on the host, or the ability to supply a malicious model artifact to a user who loads it locally.

  • AuthenticationNot required

    No account or credentials are required; any process or user that can present a crafted model artifact to LMDeploy can trigger the exploit.

  • Victim interactionRequired

    A user or automated pipeline must load the malicious model artifact, making this a supply-chain social-engineering vector where the attacker plants a poisoned model in a registry or repository the victim trusts.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and requires no race conditions, memory-layout knowledge, or other environmental prerequisites beyond delivering the malicious artifact.

Blast Radius

  • Executes arbitrary Python code on the host running LMDeploy with the privileges of the loading process, giving the attacker full control over that process.
  • Reads any secrets, credentials, or model data accessible to the process, including environment variables, API keys, and cached Hugging Face tokens.
  • Modifies or exfiltrates model weights, training data, or inference outputs stored on the host filesystem.
  • Crashes or persistently backdoors the LMDeploy serving process, disrupting inference availability for downstream applications.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists yet, every HarborGuard environment scanning images that include LMDeploy 0.12.3 or earlier will surface this CVE as a HIGH-severity open finding with no fix ETA. HarborGuard re-evaluates the advisory on each ingest cycle and will trigger an automatic patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads the moment InternLM publishes a remediated version. While the vulnerability remains unpatched, customers can use HarborGuard's network-policy controls to restrict which registries and model repositories the LMDeploy process is permitted to pull from, reducing exposure to malicious artifact injection. Additional compensating controls include egress filtering to block unexpected outbound connections that a malicious model payload might initiate, and feature-flag or manifest gating to prevent loading of unsigned or unreviewed model artifacts in production pipelines.

See how HarborGuard automates this
Affected packages
  • InternLM / lmdeploy
    <= 0.12.3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References