Security update (CVE-2026-4372) - June 11, 2026

We reviewed and remediated a high-severity vulnerability affecting the Hugging Face Transformers library. The issue, tracked as CVE-2026-4372, affected Transformers versions prior to 5.3.0 and could allow arbitrary code execution when loading a malicious model through standard from_pretrained() model-loading paths.

What could be the impact?

In affected versions, a malicious model configuration could bypass the expected trust_remote_code protection mechanism and cause attacker-controlled code to run with the full privileges of the affected process.

Mitigation and current status

We reviewed our dependencies and upgraded Hugging Face Transformers to version 5.3.0, which remediates the vulnerability.

No customer action is required at this time.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request