Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
Summary
| CVE | CVE-2026-5241 |
|---|---|
| State | PUBLISHED |
| Assigner | @huntr_ai |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-03 14:16:46 UTC |
| Updated | 2026-07-15 01:16:40 UTC |
| Description | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment. |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS: 0.005310000 probability, percentile 0.412630000 (date 2026-07-16)
Problem Types: CWE-829 | CWE-829 CWE-829 Inclusion of Functionality from Untrusted Control Sphere | CWE-829 Inclusion of Functionality from Untrusted Control Sphere
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
| 3.0 | [email protected] | Secondary | 8 | HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
| 3.0 | CNA | DECLARED | 8 | HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS v3.0 Breakdown
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Huggingface | Transformers | 5.2.0 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Huggingface | Huggingface/transformers | affected unspecified 5.5.0 custom | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782471555 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782471579 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1783073038 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782991170 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782471656 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782471663 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1783069204 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782991170 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | unaffected 1782471606 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782135464 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782136276 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782135346 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132167 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132207 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132240 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132286 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132236 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | unaffected 1782132163 * rpm | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:34456 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/huggingface/transformers/commit/676559d5022b74aaa0cee1cee0842... | [email protected] | github.com | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5241.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| huntr.com/bounties/ceb3ce1a-4c45-497a-b25e-cb9a7685e619 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | huntr.com | Exploit, Third Party Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-5241 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-03T15:02:16.132Z | Reported to Red Hat. |
| ADP | 2026-06-03T12:33:10.227Z | Made public. |
Solutions
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:34456: Red Hat OpenShift AI 3.4
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.