How is CVE-2026-5241 exploited?

Network reachability (required): The attacker must host a malicious model repository reachable over the network, and the victim's environment must be able to fetch from it, exposing any internet-connected model-loading workflow. Authentication (not-required): No credentials are needed to publish or serve a malicious model repository; the attacker only needs the victim to reference it. Victim interaction (required): The victim must actively load the attacker-controlled model, for example by calling AutoModel.from_pretrained() with a malicious repository URI, making this a social-engineering or supply-chain vector. Attack complexity (info): Exploitation requires steering the victim toward a specific malicious model repository, but once that condition is met, code execution is reliable and requires no race conditions or memory-layout manipulation.

What is the impact of CVE-2026-5241?

Executes arbitrary Python code in the process that loads the model, giving the attacker the same filesystem and network permissions as the running service or notebook. Reads environment variables, mounted secrets, and credential files accessible to the process, enabling theft of API keys, cloud credentials, or tokens. Establishes persistence or deploys a backdoor within the container or host if the process has write access to installed packages or startup scripts. Enables lateral movement to other services reachable from the compromised environment, such as internal APIs, databases, or adjacent inference workers.

Back to search

HIGHCVE-2026-5241Published 2026-06-03Modified 2026-06-03CNA @huntr_ai

CVE-2026-5241: Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

CVSS v3.0: 8.0
Severity: HIGH
Fixed in: 5.5.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A policy-bypass vulnerability in the LightGlue model loading path of huggingface/transformers (versions before 5.5.0) allows an attacker-controlled model repository to execute arbitrary Python code during model initialization, even when the caller explicitly sets trust_remote_code=False. The vulnerability is reachable over the network and requires no authentication, but does require the victim to load a malicious model, making it a social-engineering or supply-chain vector. Successful exploitation gives an attacker full code execution in the loading process, enabling credential theft, backdoor installation, or lateral movement. A patched-image rebuild at version 5.5.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-5241 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle huggingface/transformers directly. Images pinned to transformers versions below 5.5.0 are flagged automatically on each scan cycle.

Available

Triage

Triage is available with the full CVSS 3.0 score of 8.0 (HIGH), weighted against each customer environment's compliance policy to determine urgency and escalation path. Findings are routable to the relevant team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild targeting huggingface/transformers 5.5.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must host a malicious model repository reachable over the network, and the victim's environment must be able to fetch from it, exposing any internet-connected model-loading workflow.
AuthenticationNot required
No credentials are needed to publish or serve a malicious model repository; the attacker only needs the victim to reference it.
Victim interactionRequired
The victim must actively load the attacker-controlled model, for example by calling AutoModel.from_pretrained() with a malicious repository URI, making this a social-engineering or supply-chain vector.
Attack complexityDetail
Exploitation requires steering the victim toward a specific malicious model repository, but once that condition is met, code execution is reliable and requires no race conditions or memory-layout manipulation.

Blast Radius

Executes arbitrary Python code in the process that loads the model, giving the attacker the same filesystem and network permissions as the running service or notebook.
Reads environment variables, mounted secrets, and credential files accessible to the process, enabling theft of API keys, cloud credentials, or tokens.
Establishes persistence or deploys a backdoor within the container or host if the process has write access to installed packages or startup scripts.
Enables lateral movement to other services reachable from the compromised environment, such as internal APIs, databases, or adjacent inference workers.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against customer images within minutes of advisory publication, covering both pulled base images and internally built images that vendor transformers. For environments running transformers below 5.5.0, a rebuilt image at the 5.5.0 fix version is available. Where compliance policy permits auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass, and opens a pull request against each affected workload; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Because the exploit requires a victim to load a model from an attacker-controlled source, compensating controls while patching include restricting outbound network access from inference and training containers to a curated model-hub allowlist, enforcing a network policy that blocks arbitrary HTTPS egress from CI/CD pipeline workers, and auditing any AutoModel.from_pretrained() calls that accept dynamically constructed repository URIs.

See how HarborGuard automates this

Fix available

5.5.0

Affected packages

huggingface / huggingface/transformers
< 5.5.0 (from unspecified)

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available