{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-44513", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-06T18:28:20.887Z", "datePublished": "2026-05-14T16:26:03.907Z", "dateUpdated": "2026-07-15T00:53:37.825Z" }, "containers": { "cna": { "title": "Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "references": [ { "name": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v" } ], "affected": [ { "vendor": "huggingface", "product": "diffusers", "versions": [ { "version": "< 0.38.0", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-14T16:26:03.907Z" }, "descriptions": [ { "lang": "en", "value": "Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0." } ], "source": { "advisory": "GHSA-98h9-4798-4q5v", "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-14T17:38:51.150920Z", "id": "CVE-2026-44513", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T19:51:06.991Z" } }, { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "affected", "packageName": "rhaiis/vllm-cpu-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "unaffected", "packageName": "rhaiis/vllm-cuda-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "unaffected", "packageName": "rhaiis/vllm-rocm-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "affected", "packageName": "rhaiis/vllm-tpu-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "affected", "packageName": "rhaii/vllm-cpu-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ai_inference_server:3" ], "defaultStatus": "affected", "packageName": "rhaii/vllm-cuda-rhel9", "product": "Red Hat AI Inference Server", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "affected", "packageName": "rhelai3/bootc-aws-cuda-rhel9", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "affected", "packageName": "rhelai3/bootc-azure-cuda-rhel9", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "affected", "packageName": "rhelai3/bootc-cuda-rhel9", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "affected", "packageName": "rhelai3/bootc-gcp-cuda-rhel9", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "packageName": "rhoai/odh-openvino-model-server-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "packageName": "rhoai/odh-th06-cuda130-torch210-py312-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "unaffected", "packageName": "rhoai/odh-th06-cuda130-torch291-py312-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "packageName": "rhoai/odh-th06-rocm64-torch291-py312-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "packageName": "rhoai/odh-training-rocm64-torch29-py312-rhel9", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" } ], "datePublic": "2026-05-14T16:26:03.907Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in Diffusers, a library for pretrained diffusion models. A remote attacker could exploit a bypass in the `trust_remote_code` mechanism within the `DiffusionPipeline.from_pretrained` function. This vulnerability allows for arbitrary remote code execution, even when the user explicitly sets `trust_remote_code=False` or omits it. The issue stems from the security check being incorrectly placed, allowing malicious code to be loaded and executed by bypassing the intended security gate." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-358", "description": "Improperly Implemented Security Check for Standard", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-44513" }, { "name": "RHBZ#2477507", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477507" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44513.json" } ], "timeline": [ { "lang": "en", "time": "2026-05-14T17:02:10.040Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-05-14T16:26:03.907Z", "value": "Made public." } ], "title": "Diffusers: Diffusers: Arbitrary remote code execution via `trust_remote_code` bypass", "workarounds": [ { "lang": "en", "value": "Use DiffusionPipeline.from_pretrained() only with model paths, custom pipelines,\nand local snapshots from fully trusted and audited sources. Avoid setting\ncustom_pipeline= to a Hub repository that differs from the primary model path\nunless its pipeline.py has been manually reviewed. When loading a local snapshot, check for unexpected *.py files at the snapshot root and under component subdirectories (unet/, scheduler/, etc.) before calling from_pretrained.\n\nThe only complete fix is upgrading to diffusers 0.38.0." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-15T00:53:37.825Z" } } ] } }