Cyber Resilience

CVE-2026-5241

CriticalPublic PoCUpdated

Published: 03 June 2026

Published
03 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0049 38.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5241 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Huggingface Transformers. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by…

more

untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: huggingface, transformers

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability enables arbitrary code execution via attacker-controlled model repositories during loading, directly mapping to compromise of the software supply chain.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12720Same product: Huggingface Transformers
CVE-2025-5120Same vendor: Huggingface
CVE-2026-6859Shared CWE-829
CVE-2026-2654Same vendor: Huggingface
CVE-2026-4963Same vendor: Huggingface
CVE-2026-44513Same vendor: Huggingface
CVE-2026-44827Same vendor: Huggingface
CVE-2026-25874Same vendor: Huggingface
CVE-2026-40313Shared CWE-829
CVE-2026-3991Shared CWE-829

Affected Assets

huggingface
transformers
5.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

addresses: CWE-829

Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.

References