External risk intelligence

LLaMA-Factory RCE via Unvalidated Model Path in WebUI

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58116

LLaMA-Factory is a WebUI-based framework typically deployed as a service to provide interactive chat and training interfaces to users. Such interfaces are frequently exposed as web applications or accessible internal services to facilitate collaborative machine learning tasks, making the WebUI a commonly internet-facing or network-reachable service.

Code Injection

Hiyouga Llama Factory

0.9.5 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in LLaMA-Factory, a machine learning framework, that could allow an attacker with web interface access to execute arbitrary code on the server. This occurs when the system processes a malicious model path without proper validation, leading to the execution of code from untrusted sources.

  • Malicious model path allows code execution.
  • Critical flaw may affect user-facing AI tools.
  • Assess exposure and confirm if LLaMA-Factory is used.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by accessing the LLaMA-Factory's WebUI and then navigating to the Chat or Training interfaces. From there, they would supply a specially crafted model path. This input is not validated and is directly used by the application to download and execute code from a specified model repository, allowing the attacker to run arbitrary Python commands on the server with the server's permissions.

  • Entry condition: WebUI access.
  • Trigger point: Malicious model path in Chat/Training.
  • Resulting risk: Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, attackers with WebUI access could execute arbitrary Python code by providing a malicious model path in the Chat or Training interfaces. This occurs because user-supplied model path input is passed unvalidated into Hugging Face's `from_pretrained` functions with `trust_remote_code=True`, allowing code execution with the privileges of the server process.

  • Server process code execution.
  • Malicious model path input.
  • Compromised server and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The LLaMA-Factory vulnerability directly impacts teams responsible for the application's deployment and operation, likely a platform or application owner team. The initial step is to locate all instances of LLaMA-Factory, assess their exposure and criticality, and identify the specific owner accountable for each instance before planning remediation.

  • Identify accountable application owners.
  • Verify external network reachability.
  • Plan phased remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is LLaMA-Factory and how is it used?

LLaMA-Factory is an open-source framework designed to simplify fine-tuning and experimenting with large language models. Developers and data scientists use its WebUI to manage datasets, perform training, and host chat interfaces for interacting with AI models without needing to write complex configuration scripts from scratch.

What does CVE-2026-58116 mean for security?

This vulnerability is an instance of Improper Control of Generation of Code (CWE-94). The application fails to sanitize user-provided model paths, which are then passed to the Hugging Face library with a setting that automatically runs code from that location. This allows an attacker to force the server to execute arbitrary Python scripts instead of loading a legitimate model.

How is this vulnerability triggered?

An attacker must have access to the LLaMA-Factory WebUI and specifically utilize the Chat or Training interfaces. The bug is triggered when a user inputs a malicious path that points to a source containing executable code. It is important to note that actions performed outside of these specific interface inputs, or within an environment where user input is strictly validated or restricted, do not trigger the flaw.

Is my instance of LLaMA-Factory at risk?

According to Halo Surface Signal, LLaMA-Factory is often deployed as a collaborative service, making its WebUI a frequent candidate for internet-facing or internal network exposure. If your WebUI is reachable by users you do not fully trust, or if it is exposed to the public internet, the risk is elevated because the attacker requires only that interface access to succeed.

What should I do to secure my environment?

Begin by identifying all running instances of LLaMA-Factory within your infrastructure and determining who is responsible for each deployment. Prioritize restricting access to the WebUI to only necessary, authenticated users. If possible, place these instances behind a secure gateway or internal network only, and prepare for updates by communicating with the application owners to manage the patching lifecycle.

References