Researchers say a remote code execution flaw in Hugging Face Transformers—tracked as CVE-2026-4372—can be triggered simply by loading a malicious model config.json, bypassing the library’s trust_remote_code=False safeguard. The result can be exposure of cloud
For many organizations, “loading a model” is a routine task. No prompts. No security dialogs. Just a standard call to from_pretrained().
That’s exactly what makes the new warning so unsettling: researchers at Pluto disclosed a remote code execution vulnerability in the Hugging Face Transformers library that can run attacker-controlled code when someone loads a malicious Hugging Face model. It does this without special flags, without warnings, and without requiring additional user interaction beyond the model load.
The flaw is tracked as CVE-2026-4372, and it targets how Transformers handles a model’s configuration file—config.json. In the researchers’ account. a single poisoned field inside that config.json can “silently executes arbitrary code on anyone who loads it.” The quote is blunt: no special flags. no warnings. just the standard from_pretrained() call.
CVE-2026-4372 matters because it undermines a control many teams rely on.
Transformers has a trust_remote_code=False setting intended to prevent untrusted remote code from running. Researchers say the vulnerability bypasses that built-in protection.
They also link the issue to real-world deployment patterns. The vulnerability affects multiple Transformers versions when the optional kernels package is installed—a setup that is common in GPU-accelerated AI environments. It’s not enabled by default. but it often shows up in environments built for speed. including those using the transformers[all] installation option.
The stakes aren’t abstract. The researchers demonstrated that exploitation could expose cloud credentials, SSH keys, API tokens, and other sensitive assets. Once code runs, those assets can become a direct path into enterprise infrastructure.
The mechanics start with config.json, but the pathway to code execution goes through attention kernel selection. One setting in the model configuration, _attn_implementation_internal, controls which attention kernels Transformers uses.
By modifying that attribute to reference a malicious kernel repository hosted on Hugging Face Hub. an attacker can cause the library to automatically download and import attacker-controlled Python code. Because this happens during a routine from_pretrained() operation. victims would not necessarily see unusual prompts or warnings before the malicious code executes.
Researchers also described the scale of exposure risk before a patch was released. Vulnerable Transformers versions were downloaded about 232 million times prior to the patch, creating supply chain risk for organizations using third-party AI models.
The underlying issue, they say, is how the library applies configuration parameters. Transformers relied on a generic setattr() mechanism that applied configuration parameters directly to internal objects. including private attributes that were never intended to be influenced by untrusted input. That design choice is what makes a crafted configuration able to manipulate internal settings.
One detail stands out because it ties many of these pieces together: the exploit requires no special permissions. no security exceptions. and no extra user interaction beyond loading the model. The attack is built for “normal” behavior—exactly what operational teams tend to assume is safe when using common library calls.
The fix and the workload now shift to defenders. Researchers’ guidance is practical and immediate: upgrade to the latest Transformers version, review environments that include the optional kernels package, and restrict the use of unapproved third-party AI models.
They also urge teams to maintain an up-to-date software bill of materials (SBOM) and an AI asset inventory to track deployed models. libraries. dependencies. and related components. Another recommendation is to evaluate external models in isolated, sandboxed environments before introducing them into production workflows.
Containment and credential discipline are also part of the recipe they outline. They call for least-privilege access controls and say organizations should avoid storing long-lived credentials, API keys, or sensitive secrets on model-loading systems.
Because the vulnerability relies on downloading and importing attacker-controlled content, network controls matter too. Researchers advise restricting outbound network connections and monitoring for unusual model downloads. package imports. repository references. and other suspicious activity originating from machine learning infrastructure.
Finally, they recommend testing incident response plans and using attack-simulation solutions with scenarios focused on AI workloads and supply chain compromise.
Taken together, the message from Pluto is clear: the AI supply chain isn’t just about models anymore—it’s also about configuration files, library behavior, and the trusted defaults that make deployments easy. Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Hugging Face Transformers CVE-2026-4372 remote code execution RCE config.json trust_remote_code kernels package GPU environments supply chain risk AI security SBOM AI asset inventory cloud credentials SSH keys API tokens