Pluto Security disclosed a remote code execution vulnerability in Hugging Face Transformers affecting versions 4.56.0 through 5.2.x.
Tracked as CVE-2026-4372, the flaw allowed attacker-controlled AI models to run arbitrary code on a victim machine during a routine model load. It bypassed the trust_remote_code=False control that many organisations use to limit the risk of running untrusted model code from Hugging Face Hub.
An attacker could place a malicious payload in a model configuration file and trigger execution when a user called the standard from_pretrained() command. As a result, a model could compromise a system without warnings, prompts, or changes to the default protection settings many developers and security teams rely on.
Pluto Security estimated that vulnerable versions were downloaded 232 million times during the six months the flaw remained live. According to the disclosure, Hugging Face Transformers is one of the most widely used Python packages in artificial intelligence software, with more than 2.2 billion total downloads and about 146 million monthly downloads.
Trusted workflow
The finding adds to broader concerns over AI supply-chain security as companies and researchers pull models from public repositories and load them into development, testing, and production systems. In this case, the risk emerged through a workflow many users would have considered routine and relatively safe because the remote code setting was disabled.
"Organisations have spent years building policies around the idea that keeping trust_remote_code disabled makes model loading safe. This vulnerability showed that assumption could be broken. A single malicious configuration field could turn a standard model download into a silent system compromise," said Yotam Perkal, Director of Security Research at Pluto Security.
Successful exploitation could expose data and infrastructure details available to the compromised machine. Those assets could include cloud credentials, API keys, SSH keys, Kubernetes configurations, database credentials, source code, and proprietary datasets.
Systems used for enterprise AI, automated model testing, and GPU-backed workloads would be especially attractive targets because they often hold sensitive credentials and direct access to valuable data. The flaw gave attackers a way to embed malicious behaviour in a trusted library workflow rather than relying on a victim to run a suspicious script manually.
Patch released
Hugging Face addressed the issue in Transformers version 5.3.0. The update blocks attacker-controlled configuration values from reaching the affected code path and requires explicit user consent before untrusted external kernels are loaded.
Pluto Security reported the vulnerability to Hugging Face in February. The disclosure comes amid growing scrutiny of malicious repositories in the AI software ecosystem, including recent concerns over repositories on model-sharing platforms that drew attention before being removed.
Pluto Security urged organisations using Transformers to upgrade to version 5.3.0 or later and review their model-loading workflows and cached configurations. It added that the presence of _attn_implementation_internal in cached or downloaded config.json files should be treated as a warning sign during internal checks.
It also advised users to treat model-loading operations as potential code execution surfaces, isolate model evaluation environments, restrict outbound network access, and reduce the credentials available within AI infrastructure. Those steps reflect a growing view among security teams that models and their associated files should be handled with similar caution to software packages and scripts.
"The AI industry has made downloading models from the internet feel as routine as installing software packages. As these ecosystems continue to grow, organizations need to recognize that model-loading is increasingly a security boundary and treat it accordingly," said Shahar Bahat, Chief Executive Officer and Co-founder of Pluto Security.