Hugging Face Transformers RCE via poisoned model config (CVE-2026-4372)

What happened

Pluto Security disclosed a remote code execution flaw in Hugging Face Transformers (CVE-2026-4372, CVSS 7.8). A single field in a model config.json, "_attn_implementation_internal": "attacker/kernel-repo", makes the standard AutoModel.from_pretrained() call import and run attacker-controlled code at model load, with no trust_remote_code=True and no user interaction. Vulnerable versions (4.56.0 through 5.2.x, exploitable when the optional kernels package is installed for GPU inference) were downloaded roughly 232 million times before the fix.

Root cause

Config deserialization applied every JSON field to the config object through an unfiltered setattr loop, letting the internal _attn_implementation_internal attribute reach an unsandboxed kernel loader that imported any attacker-named owner/repo as Python via importlib, bypassing the trust_remote_code=False control.

Fix / outcome

Silently patched in Transformers v5.3.0 (released March 4, 2026); the vulnerable code path was removed. Upgrade to 5.3.0 or later, audit cached config.json files for the field, and load untrusted models in sandboxed, egress-restricted environments. No confirmed in-the-wild exploitation of this CVE.

Sources