Hugging Face Transformers CVE-2026-4372 Turns Model Loading Into a Security Checkpoint
NVD lists CVE-2026-4372 as a critical Transformers remote code execution issue affecting versions before 5.3.0, and independent reporting says routine model loading could run attacker-controlled code.
CVE-2026-4372 is a critical remote code execution issue in Hugging Face Transformers versions before 5.3.0, according to NVD. The core risk is that a malicious model configuration could cause arbitrary Python code to run during a standard AutoModelForCausalLM.from_pretrained() load path. That makes model intake, cache review, and dependency version checks part of the security boundary for AI teams.
Key takeaways
- NVD says Transformers versions before 5.3.0 are affected and advises upgrading to 5.3.0 or later.
- The reported attack path involves a malicious
config.jsonusing_attn_implementation_internalto point at attacker-controlled Hugging Face Hub code. - The NVD entry says the issue can bypass the expected protection of
trust_remote_code. - The Hugging Face patch commit blocks problematic internal fields from config deserialization and restricts hub kernel loading.
- Independent reporting from SiliconANGLE says the issue is most relevant to model evaluation pipelines, GPU environments, and enterprise AI platforms that load external models automatically.
Practical LinkLoot angle
Treat this as a workflow problem, not just a library upgrade. Any AI stack that pulls models from the internet should have an intake checklist: pin Transformers, review model configs, isolate evaluation jobs, scan caches, and keep secrets out of model-loading environments.
| Checkpoint | What to do | Why it matters | Source |
|---|---|---|---|
| Dependency version | Upgrade Transformers to 5.3.0 or later | NVD lists versions before 5.3.0 as affected | NVD |
| Model config review | Search cached and downloaded config.json files for _attn_implementation_internal | The field is central to the reported attack path | NVD, SiliconANGLE |
| Execution isolation | Run model evaluation in a sandbox or low-privilege container | Model loading can behave like code execution | SiliconANGLE |
| Patch verification | Review the Hugging Face commit and installed package version | Confirms the fix reached the environment you operate | GitHub commit |
The practical mistake is assuming trust_remote_code=False turns model loading into a safe data-only operation. For production teams, the better default is to classify model loading like package installation: it needs version pinning, provenance checks, cache hygiene, and runtime isolation.
What to verify before you act
First, check the exact installed Transformers version in every notebook image, inference container, evaluation runner, and CI job. Then review whether the optional kernels path exists in your stack and whether any automation loads models from unreviewed Hugging Face Hub repositories. If your environment stores cloud tokens, SSH keys, API keys, datasets, or source code near the model-loading process, rotate or isolate credentials after any suspicious model load.
Do not rely on a single scanner result. Confirm the installed package version, inspect cached configs, and look for unexpected external kernel references in model metadata. If you maintain internal model mirrors, refresh mirrors only after the upstream source and hash are verified.
Source check
NVD confirms the CVE description, affected range before Transformers 5.3.0, the from_pretrained() attack path, and the upgrade guidance. The Hugging Face patch commit shows code changes that block selected internal config fields and limit hub kernel loading. SiliconANGLE independently reports the routine-model-load risk, the trust_remote_code=False implication, and the operational exposure for automated AI environments.
It is a critical remote code execution vulnerability in Hugging Face Transformers versions before 5.3.0.
For a broader tooling checklist, use LinkLoot's guide to AI workflow automation.