{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/trust_remote_code/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["diffusers (\u003c 0.38.0)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","diffusers","trust_remote_code"],"_cs_type":"advisory","_cs_vendors":["Hugging Face"],"content_html":"\u003cp\u003eA \u003ccode\u003etrust_remote_code\u003c/code\u003e bypass in \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e allows arbitrary remote code execution despite the user passing \u003ccode\u003etrust_remote_code=False\u003c/code\u003e (or omitting it, which is the default). The vulnerability, impacting diffusers versions before 0.38.0, stems from the \u003ccode\u003etrust_remote_code\u003c/code\u003e gate being implemented inside \u003ccode\u003eDiffusionPipeline.download()\u003c/code\u003e rather than at the actual dynamic-module load site. This allows for bypasses using cross-repo \u003ccode\u003ecustom_pipeline\u003c/code\u003e, local snapshots with Hub \u003ccode\u003ecustom_pipeline\u003c/code\u003e, and local snapshots with custom components. Successful exploitation results in silent remote code execution on the victim\u0026rsquo;s machine, affecting anyone calling \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e with custom pipelines. The vulnerability is tracked as CVE-2026-44513.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user calls \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e with a malicious \u003ccode\u003ecustom_pipeline\u003c/code\u003e pointing to an attacker\u0026rsquo;s repository (repoB) while setting \u003ccode\u003etrust_remote_code=False\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDiffusionPipeline.download()\u003c/code\u003e function is invoked, but the trust check is performed against the primary repository (repoA) instead of the attacker\u0026rsquo;s repository (repoB).\u003c/li\u003e\n\u003cli\u003eAlternatively, the user calls \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e with a local snapshot directory and a malicious \u003ccode\u003ecustom_pipeline\u003c/code\u003e pointing to an attacker\u0026rsquo;s repository. The local-path branch bypasses the \u003ccode\u003edownload()\u003c/code\u003e function, thus skipping the \u003ccode\u003etrust_remote_code\u003c/code\u003e gate.\u003c/li\u003e\n\u003cli\u003eAs another alternative, the user calls \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e with a local snapshot directory containing custom component files (e.g., \u003ccode\u003eunet/my_unet_model.py\u003c/code\u003e) referenced from \u003ccode\u003emodel_index.json\u003c/code\u003e. The local path bypasses \u003ccode\u003edownload()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s \u003ccode\u003epipeline.py\u003c/code\u003e or custom component files are loaded as dynamic modules.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed, granting the attacker arbitrary code execution privileges on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform various malicious activities, such as installing malware, stealing data, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for arbitrary remote code execution on the victim\u0026rsquo;s machine. This could lead to complete system compromise, data theft, or other malicious activities. All users of diffusers versions before 0.38.0 who call \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e with custom pipelines are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to diffusers version 0.38.0 or later to remediate the vulnerability. The fix moves the \u003ccode\u003etrust_remote_code\u003c/code\u003e gate to \u003ccode\u003eget_cached_module_file\u003c/code\u003e in \u003ccode\u003esrc/diffusers/utils/dynamic_modules_utils.py\u003c/code\u003e (\u003ca href=\"https://github.com/huggingface/diffusers/pull/13448\"\u003ehttps://github.com/huggingface/diffusers/pull/13448\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, only call \u003ccode\u003efrom_pretrained\u003c/code\u003e with \u003ccode\u003epretrained_model_name_or_path\u003c/code\u003e, \u003ccode\u003ecustom_pipeline\u003c/code\u003e, and local snapshot directories from fully trusted sources that have been audited.\u003c/li\u003e\n\u003cli\u003eIf a local snapshot is used, inspect it for unexpected \u003ccode\u003e*.py\u003c/code\u003e files, especially under component subdirectories (\u003ccode\u003eunet/\u003c/code\u003e, \u003ccode\u003escheduler/\u003c/code\u003e, etc.) and at the snapshot root before calling \u003ccode\u003efrom_pretrained\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of unexpected python files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T05:31:17Z","date_published":"2026-05-07T05:31:17Z","id":"/briefs/2026-05-diffusers-rce/","summary":"A `trust_remote_code` bypass vulnerability exists in the `DiffusionPipeline.from_pretrained` function of the diffusers library, allowing for arbitrary remote code execution when using `custom_pipeline` and local custom components, even when `trust_remote_code=False` is set.","title":"Diffusers trust_remote_code Bypass Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-diffusers-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Trust_remote_code","version":"https://jsonfeed.org/version/1.1"}