Cyber Resilience

CVE-2026-6859

HighUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0035 27.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6859 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Redhat Instructlab. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6859 is a vulnerability in InstructLab, an open-source tool for fine-tuning large language models. The flaw resides in the `linux_train.py` script, which hardcodes the `trust_remote_code=True` parameter when loading models from the HuggingFace Hub. Published on 2026-04-22, it is rated 8.8 severity under CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and maps to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

A remote attacker can exploit this vulnerability by publishing a specially crafted malicious model to the HuggingFace Hub and social-engineering a victim into executing `ilab train`, `download`, or `generate` commands with that model. Successful exploitation grants arbitrary Python code execution on the victim's system, potentially resulting in complete system compromise, as the hardcoded trust setting bypasses safeguards against untrusted code.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-6859 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2459998. Security practitioners should consult these resources for patching instructions and workarounds specific to affected InstructLab deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious…

more

model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: huggingface

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability enables arbitrary Python code execution (T1059.006) via exploitation of client-side software (T1203) when loading untrusted models from HuggingFace Hub, facilitating supply chain compromise of software dependencies/development tools (T1195.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6855Same product: Redhat Enterprise Linux Ai
CVE-2025-12805Same vendor: Redhat
CVE-2026-28368Same vendor: Redhat
CVE-2026-3047Same vendor: Redhat
CVE-2026-4636Same vendor: Redhat
CVE-2026-7307Same vendor: Redhat
CVE-2026-28369Same vendor: Redhat
CVE-2026-3121Same vendor: Redhat
CVE-2026-3009Same vendor: Redhat
CVE-2026-9795Same vendor: Redhat

Affected Assets

redhat
instructlab
all versions
redhat
enterprise linux ai
3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching directly fixes the hardcoded trust_remote_code=True in InstructLab's linux_train.py script, preventing exploitation.

prevent

Restricts execution of mobile code from untrusted sources like HuggingFace models, blocking arbitrary Python code execution unless explicitly approved from verified sources.

preventdetect

Malicious code protection scans and eradicates harmful Python code in downloaded HuggingFace models at entry points during ilab train/download/generate operations.

References