CVE-2026-4372: Hugging Face Transformers Critical RCE via Malicious Model Config.json – 232 Million Downloads Exposed Pre-Patch
Date: 2026-06-11
Tags: malicious-tool, model-poisoning
Executive Summary
The vulnerability allows an attacker to craft a malicious config.json file containing the _attn_implementation_internal field set to an attacker-controlled Hugging Face Hub repository ID. When a victim loads a model using standard Transformers APIs such as AutoModelForCausalLM.from_pretrained(), the library fetches and executes code from the attacker's repository — enabling arbitrary remote code execution. Transformers is the most widely used library for working with AI/ML models — it has hundreds of millions of monthly downloads and is the foundation of the modern NLP and generative AI ecosystem.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-4372 Exploitation Campaign |
| Attribution | Unknown; likely opportunistic model-poisoning attacks via Hugging Face Hub (confidence: low) |
| Target | Python developers and organizations loading pretrained models from Hugging Face Hub; users of community models; AI/ML researchers and teams |
| Vector | Malicious model config.json published to Hugging Face Hub with _attn_implementation_internal field pointing to attacker-controlled repository containing arbitrary Python code |
| Status | active |
| First Observed | 2026-06-06 |
Detailed Findings
The vulnerability allows an attacker to craft a malicious config.json file containing the _attn_implementation_internal field set to an attacker-controlled Hugging Face Hub repository ID. When a victim loads a model using standard Transformers APIs such as AutoModelForCausalLM.from_pretrained(), the library fetches and executes code from the attacker's repository — enabling arbitrary remote code execution. The attack requires the victim to load a model from an untrusted source, which is a common workflow in AI/ML development: downloading community models from the Hugging Face Hub, loading models shared by colleagues, or using models from third-party repositories. This follows the pattern of CVE-2026-45829 (ChromaDB) and CVE-2026-47117 (OpenMed) — both involving Hugging Face model loading with trust_remote_code or equivalent mechanisms. The Transformers library is the single most widely deployed AI/ML library globally — its install base spans every organisation doing an inference or fine-tuning workflow.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Malicious Repository and Code | T1195.003 | Attacker publishes malicious model with trojanized config.json to Hugging Face Hub, masquerading as legitimate community model |
| Remote Code Execution | T1190 | Transformers library dynamically executes Python code from _attn_implementation_internal field without validation or sandboxing |
| Dependency Exploitation | T1195.001 | Trust in Hugging Face model repository enables model-poisoning attacks against dependent applications |
IOCs
Domains
_CVE-2026-4372 affects Hugging Face Transformers library versions prior to 5.3.0. Attacks trigger at model load time via from_pretrained() with untrusted sources._
Full URL Paths
_CVE-2026-4372 affects Hugging Face Transformers library versions prior to 5.3.0. Attacks trigger at model load time via from_pretrained() with untrusted sources._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
huggingface-hub (all versions using trust_remote_code or equivalent)Detection Recommendations
Implement strict model source validation and avoid loading models from untrusted Hugging Face Hub accounts unless absolutely necessary. Pin model versions and repository IDs in deployment configurations. Monitor model load operations for unexpected subprocess execution or network access outside of expected cloud provider regions. Scan model config.json files for _attn_implementation_internal or other dynamic code-execution fields before loading. Use sandbox or containerized environments for model inference to limit RCE impact. Implement policy controls that restrict which Hugging Face Hub repositories can be accessed from development and production systems. Review the Transformers library changelog for version 5.3.0+ which includes fixes for this class of vulnerability.
References
- [Threat-Modeling.com Vulnerability Intelligence Report] Vulnerability Intelligence Report — June 6, 2026 (2026-06-06) — https://threat-modeling.com/vulnerability-intelligence-report-june-6-2026/
- [NIST NVD] CVE-2026-4372: Remote Code Execution via Hugging Face Transformers Config Injection (2026-06-06) — https://nvd.nist.gov/vuln/detail/CVE-2026-4372