How is CVE-2026-47117 exploited?

Network reachability (required): The vulnerable model-loading endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the OpenMed service. Authentication (not-required): No account or credential is needed; the malicious model_name parameter can be submitted by any unauthenticated caller. Victim interaction (not-required): Exploitation is fully server-side and requires no action from a logged-in user or administrator. Attack complexity (info): The exploit is reliable and condition-free: no race condition, memory layout dependency, or special environmental state is required beyond being able to reach the service.

What is the impact of CVE-2026-47117?

Attacker-supplied Python code executes with the full privileges of the OpenMed service process, enabling arbitrary command execution on the host. All data accessible to the service process, including patient PII and any credentials or secrets mounted into the container, is readable by the attacker. The attacker can write or delete files, modify application state, or install persistent tooling within the container filesystem. The running service and any co-located workloads sharing the same process namespace are subject to disruption or takeover.

Back to search

CRITICALCVE-2026-47117Published 2026-06-02Modified 2026-06-02CNA VulnCheck

CVE-2026-47117: OpenMed < 1.5.2 Remote Code Execution via PII Model Loading

Q: What is CVE-2026-47117?

Remote code execution via unsafe model loading affects OpenMed versions before 1.5.2. The vulnerability is reachable over the network with no authentication required: an attacker supplies a crafted model name that tricks the privacy-filter dispatcher into loading an arbitrary Hugging Face repository with trust_remote_code=True, causing the attacker's custom Python code to execute with the privileges of the OpenMed service process. A patched-image rebuild at version 1.5.2 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-47117 fixed?

A patched-image rebuild pinned to OpenMed 1.5.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied model_name parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path that loads Hugging Face models with trust_remote_code=True. An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json, which is imported and executed with the privileges of the OpenMed service process.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 1.5.2
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution via unsafe model loading affects OpenMed versions before 1.5.2. The vulnerability is reachable over the network with no authentication required: an attacker supplies a crafted model name that tricks the privacy-filter dispatcher into loading an arbitrary Hugging Face repository with trust_remote_code=True, causing the attacker's custom Python code to execute with the privileges of the OpenMed service process. A patched-image rebuild at version 1.5.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-47117 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle OpenMed, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this issue at CVSS 9.3 Critical and is capable of weighting that score against each customer environment's compliance policy to prioritize alert routing to the right team inbox inside each customer organization.

Available

Patch

A patched-image rebuild pinned to OpenMed 1.5.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable model-loading endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the OpenMed service.
AuthenticationNot required
No account or credential is needed; the malicious model_name parameter can be submitted by any unauthenticated caller.
Victim interactionNot required
Exploitation is fully server-side and requires no action from a logged-in user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free: no race condition, memory layout dependency, or special environmental state is required beyond being able to reach the service.

Blast Radius

Attacker-supplied Python code executes with the full privileges of the OpenMed service process, enabling arbitrary command execution on the host.
All data accessible to the service process, including patient PII and any credentials or secrets mounted into the container, is readable by the attacker.
The attacker can write or delete files, modify application state, or install persistent tooling within the container filesystem.
The running service and any co-located workloads sharing the same process namespace are subject to disruption or takeover.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47117 activates within minutes of ingestion and flags any image containing OpenMed below 1.5.2. A rebuild at the fixed version 1.5.2 is ready to deploy for affected environments. For customers who opt into auto-remediation, HarborGuard can complete the full rebuild, regression run, and PR-open flow; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where a policy review is required before upgrading, HarborGuard recommends applying a network policy that restricts outbound connections from the OpenMed container to trusted model registries only, which prevents the service from fetching attacker-controlled repositories even if the vulnerable code path is reached.

See how HarborGuard automates this

Fix available

1.5.2

Patch commits

github.com

Affected packages

maziyarpanahi / openmed
< 1.5.2 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available