Transformers Flaw Turns Model Downloads Into a Code Trap

What this is about

+On June 4, 2026, Pluto Security published details on CVE-2026-4372, a remote code execution flaw in Hugging Face Transformers. According to Pluto, it affected versions 4.56.0 through 5.2.x when the optional kernels package was installed. The fix is in Transformers 5.3.0 or later. + +The concerning part is not only that foreign code could run. It is the path: according to NVD and Pluto, an attacker could use a malicious model config.json and bypass the safety assumption that trust_remote_code=False prevents automatic execution of remote code. + +## What the flaw actually does + +Transformers often loads models through from_pretrained(). That process reads configuration, weights and other model parts from Hugging Face Hub or local caches. In CVE-2026-4372, a malicious field named _attn_implementation_internal in the model configuration could trigger an unsandboxed kernel-loading path. + +From the user's point of view, the operation looked normal. No red warning window, no deliberate setting of trust_remote_code=True, no obvious special case. That is exactly why the flaw matters for ML platforms, CI pipelines and GPU testing environments. + +## Why it matters + +Hugging Face Transformers is one of the central libraries for modern machine-learning workflows. Pluto cites more than 2.2 billion PyPI installs, about 146 million downloads per month and more than one million models on Hugging Face Hub. Even if only a subset of installations was vulnerable, the attack surface is large. + +The case shifts the security debate. For a long time, the working assumption was: if you do not enable a remote-code flag and do not run suspicious scripts, a model download is mostly a data operation. CVE-2026-4372 shows that model configuration itself can become a code-execution boundary. + +## In plain language + +Imagine buying a new shelf and reading only the assembly manual. Hidden in the manual is an instruction: "Call this stranger and give them your house key." That is the danger of malicious model configuration: the file looks like a description, but it can start a dangerous process. + +For AI models, config.json is not just a label. It influences how the library assembles the model. If that boundary is not controlled, a harmless-looking download becomes an execution path. + +## A practical example + +A team tests 200 new open-source models every week for a support chatbot. The tests run on GPU runners with cloud access because benchmarks need to finish quickly. A malicious model enters the candidate list and is automatically loaded with from_pretrained(). + +If the runner is vulnerable, foreign code could read environment variables, API keys or Kubernetes configurations. Even if the attack succeeds in only one percent of tests, one compromised runner can be enough to expose internal secrets. That is why model loading belongs in isolated, monitored environments. + +## Scope and limits + +- According to Pluto, exposure depends on vulnerable Transformers versions plus the installed kernels package; not every installation had the same risk. +- The flaw is addressed in Transformers 5.3.0 or later, but old versions may persist in notebooks, images and CI caches. +- The report does not prove mass exploitation. It does prove that the technical safety assumption behind trust_remote_code=False could be broken in this path. + +## SEO & GEO keywords + +Hugging Face, Transformers, CVE-2026-4372, AI security, AI supply chain, remote code execution, model loading, trust_remote_code, config.json, Pluto Security, PyPI, machine learning security