HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58116Published Modified CNA VulnCheck

CVE-2026-58116: LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path

LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Remote code execution in LLaMA-Factory versions through 0.9.5 stems from unsanitized model path input passed directly to Hugging Face transformers library calls with trust_remote_code=True hardcoded. An unauthenticated attacker who can reach the WebUI over the network can supply a malicious model path in the Chat or Training interfaces, causing the server to fetch and execute arbitrary Python code with the privileges of the server process. No patched version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images derived from hiyouga/LlamaFactory base layers. Any image at or below version 0.9.5 is flagged automatically.

Available
Triage

HarborGuard scores this vulnerability at CVSS 9.3 Critical using the published v4.0 vector and surfaces it at the top of the severity queue. Per-environment compliance policy weighting and team-routing rules direct the finding to the inbox configured for each customer organization, so the right owner sees it without manual triage.

Available
Patch

Because no upstream fix version exists for CVE-2026-58116, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is published upstream. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of the WebUI port and egress filtering to block outbound connections to arbitrary model repositories.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the LLaMA-Factory WebUI over the network; the vulnerability is exposed on any interface the server process binds to.

  • AuthenticationNot required

    No credentials are required; the vulnerable model path input is accessible to any user who can load the WebUI.

  • Victim interactionNot required

    No victim action is needed; the attacker submits the malicious model path directly and the server executes it without any user having to click or approve anything.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is straightforward and requires no race condition, specific memory layout, or other environmental precondition beyond network access to the WebUI.

Blast Radius

  • Reads any file or secret accessible to the server process, including model weights, API keys, and environment variables.
  • Modifies or deletes files on the host filesystem within the reach of the server process account.
  • Establishes persistent access or lateral movement by executing attacker-controlled binaries or shell commands on the server.
  • Crashes or degrades the LLaMA-Factory server process, disrupting training and inference workloads.

How HarborGuard Handles This

Available on HarborGuard: any image derived from hiyouga/LlamaFactory at or below version 0.9.5 is detected and flagged Critical within minutes of the CVE entering upstream feeds. Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the advisory on every ingest cycle and will trigger an automated patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix version is published. While awaiting a patch, HarborGuard policy rules can be used to apply compensating controls: restricting network access to the WebUI port via Kubernetes NetworkPolicy or equivalent, blocking outbound connections from the container to external model repositories via egress filtering, and flagging or blocking any deployment of this image in production environments through admission-control policy. Customers should treat any exposed LLaMA-Factory WebUI as fully compromised-equivalent until a patched image is available.

See how HarborGuard automates this
Affected packages
  • hiyouga / LlamaFactory
    ≤ 0.9.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References