External risk intelligence

LightGlue Model Loading Vulnerability in Hugging Face Transformers Allows Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-5241

The vulnerability affects a library used in machine learning model loading. While it can impact API inference servers, it typically requires a user or service to explicitly load an untrusted model or configuration file. It is not an inherently internet-facing gateway or service by design, but usage in public-facing inference pipelines makes reachability possible in specific deployment contexts.

Remote Code Execution

Huggingface Transformers

5.2.0

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists within the model loading process of the huggingface/transformers library, allowing for arbitrary code execution even when safeguards are intended to be active. This issue arises from how configurations are handled, potentially enabling attackers to bypass security settings and run malicious code during model initialization. The primary concern for leadership is to confirm if this technology is in use and if any exposure exists within your environment.

  • Malicious code can run during model loading.
  • Confirms relevance and exposure in your environment.
  • Understand potential for unauthorized code execution.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user or service into loading a specially crafted model repository. This repository would contain malicious configuration data that overrides security settings, allowing the attacker's code to run when the model is initialized. This could lead to serious consequences like credential theft or system compromise.

  • Requires user to load untrusted model.
  • Malicious config overrides security settings.
  • Risk of code execution and compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker-controlled model repository could execute arbitrary code during model initialization. This can occur even when remote code execution is explicitly disabled, potentially impacting API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers.

  • Model loading code and configurations.
  • Loading untrusted model from repository.
  • Arbitrary code execution and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

In real-world deployments, teams responsible for machine learning pipelines, such as platform or data science teams, are likely to own this vulnerability. The first practical step is to identify all instances where the affected model loading library is used, confirm exposure to untrusted model repositories, and then determine the business criticality of those instances to prioritize remediation.

  • Platform or ML teams own this issue.
  • Verify untrusted model loading is configured.
  • Plan remediation based on exposure risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the huggingface/transformers library?

It is a popular Python library used by developers and data scientists to download, train, and deploy machine learning models. It acts as the infrastructure for handling various AI architectures, including LightGlue, making it essential for building modern machine learning pipelines, research environments, and automated inference services.

What is the vulnerability in CVE-2026-5241?

This vulnerability is classified as CWE-829, which concerns the inclusion of functionality from an untrusted control sphere. In this specific case, the transformers library fails to enforce security settings when loading LightGlue models. It incorrectly trusts configuration data provided by an external model repository, allowing that data to override internal security safeguards and execute arbitrary code on the host system during initialization.

How can an attacker trigger this code execution?

An attacker triggers this by providing a malicious model repository containing a crafted configuration file. When a user or automated system attempts to load this model, the library's internal logic is manipulated into ignoring the user's security preferences. Importantly, simply having the library installed is not enough; the bug only activates when a user explicitly initiates the loading process for a compromised or untrusted model.

Is my system at risk?

According to Halo Surface Signal, risk depends on how your pipelines interact with external model sources. While the library itself is not an internet-facing gateway, it becomes reachable if your API inference servers, CI/CD pipelines, or research environments are configured to pull or process untrusted model repositories from the internet without strict validation of the source.

What steps should I take to respond to this issue?

First, conduct an inventory to locate every instance where huggingface/transformers version 5.2.0 is deployed. Prioritize systems that load models from public or untrusted repositories. Once identified, evaluate the necessity of those loading processes and work with your platform or machine learning teams to implement stricter source controls or move toward trusted, internal model registry practices until a formal update is applied.

References