{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openmed/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenMed","Transformers"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","huggingface"],"_cs_type":"advisory","_cs_vendors":["Hugging Face"],"content_html":"\u003cp\u003eOpenMed before version 1.5.2 is susceptible to a critical remote code execution vulnerability (CVE-2026-47117) in its PII privacy-filter model loading mechanism. The vulnerability arises from insufficient validation of the \u003ccode\u003emodel_name\u003c/code\u003e parameter, which is used to load Hugging Face models. An unauthenticated attacker can exploit this by crafting a malicious model repository hosted on Hugging Face. The attacker leverages the \u003ccode\u003etrust_remote_code=True\u003c/code\u003e setting during model loading and supplies a specially crafted \u003ccode\u003emodel_name\u003c/code\u003e containing a substring match that points to their malicious repository. This repository includes custom Transformers code within either \u003ccode\u003econfig.json\u003c/code\u003e or \u003ccode\u003etokenizer_config.json\u003c/code\u003e via the \u003ccode\u003eauto_map\u003c/code\u003e functionality. The injected code is then executed with the same privileges as the OpenMed service process, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an OpenMed instance running a version prior to 1.5.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Hugging Face model repository containing a custom Transformers code payload within the \u003ccode\u003econfig.json\u003c/code\u003e or \u003ccode\u003etokenizer_config.json\u003c/code\u003e file, using the \u003ccode\u003eauto_map\u003c/code\u003e feature to trigger code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the OpenMed server, targeting the PII privacy-filter functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003emodel_name\u003c/code\u003e parameter in the request that contains a substring matching a legitimate model name prefix, but redirects to the attacker\u0026rsquo;s malicious repository (e.g., \u003ccode\u003eattacker/foo-privacy-filter-bar\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOpenMed\u0026rsquo;s privacy-filter dispatcher, due to the broad substring matching, routes the request to load the attacker-controlled model.\u003c/li\u003e\n\u003cli\u003eThe OpenMed service process loads the attacker\u0026rsquo;s malicious model repository from Hugging Face, utilizing the \u003ccode\u003etrust_remote_code=True\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe custom Transformers code within the malicious \u003ccode\u003econfig.json\u003c/code\u003e or \u003ccode\u003etokenizer_config.json\u003c/code\u003e is executed with the privileges of the OpenMed service process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling them to perform arbitrary actions on the server, such as installing malware, stealing data, or pivoting to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution on the OpenMed server. Given the nature of OpenMed as a platform likely handling sensitive patient data, this could lead to severe data breaches, compliance violations, and reputational damage. The attacker could potentially gain complete control of the server and use it as a staging point for further attacks within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OpenMed to version 1.5.2 or later to patch CVE-2026-47117.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003emodel_name\u003c/code\u003e parameter used for loading Hugging Face models to prevent malicious model names.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for requests containing suspicious \u003ccode\u003emodel_name\u003c/code\u003e parameters that might indicate an attempt to load models from untrusted sources. Deploy the Sigma rule \u0026ldquo;Detect Suspicious OpenMed Model Loading via Hugging Face (CVE-2026-47117)\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider disabling the \u003ccode\u003etrust_remote_code\u003c/code\u003e option for Hugging Face model loading if it is not strictly necessary.\u003c/li\u003e\n\u003cli\u003eImplement a process creation monitoring rule to detect unusual processes spawned by the OpenMed service, referencing the Sigma rule \u0026ldquo;Detect Unusual Processes Spawned by OpenMed Service\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-02T16:20:18Z","date_published":"2026-06-02T16:20:18Z","id":"https://feed.craftedsignal.io/briefs/2026-06-openmed-rce/","summary":"OpenMed before 1.5.2 is vulnerable to remote code execution (CVE-2026-47117) due to broad substring matching in the PII privacy-filter model loading path, allowing an unauthenticated attacker to execute arbitrary code by supplying a malicious Hugging Face model repository containing custom Transformers code.","title":"OpenMed RCE via Malicious Hugging Face Model Loading (CVE-2026-47117)","url":"https://feed.craftedsignal.io/briefs/2026-06-openmed-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenMed","version":"https://jsonfeed.org/version/1.1"}