CVE-2026-5241
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A vulnerability in the Hugging Face Transformers library version 5.2.0 in the LightGlue model loading path allows an attacker-controlled model repository to override the `trust_remote_code` parameter in nested calls, leading to arbitrary code execution during model initialization even when the user explicitly disables remote code execution.
Risk Assessment
The risk for the organization includes potential credential theft, lateral movement, and deployment of persistent backdoors in environments such as API servers, research notebooks, CI/CD pipelines, and model evaluation workers.
Recommendation
Immediately update the Hugging Face Transformers library to version 5.2.1 or later, which includes a fix for this vulnerability. Until updated, avoid loading models from untrusted repositories.
Original NVD description (English source)
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

