CVE-2026-1839— Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-1839
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hugging Face Transformers 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hugging Face Transformers是Hugging Face开源的一个用于定义最先进机器学习模型的框架,涵盖文本、视觉、音频和多模态模型,可用于推理和训练。 Hugging Face Transformers存在安全漏洞,该漏洞源于Trainer类的_load_rng_state方法调用torch.load时未设置weights_only参数,可能导致攻击者通过恶意检查点文件执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| huggingface | huggingface/transformers | unspecified ~ v5.0.0rc3 | - |
II. Public POCs for CVE-2026-1839
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-1839
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: huggingface/transformers
- CVE-2025-6921
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-6051
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-6638
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-5197
Regular Expression Denial of Service (ReDoS) in huggingface/ - CVE-2025-3933
Regular Expression Denial of Service (ReDoS) in huggingface/
Same vendor: huggingface
- CVE-2026-4963
huggingface smolagents Incomplete Fix CVE-2025-9959 local_py - CVE-2026-2654
huggingface smolagents LocalPythonExecutor requests.post ser - CVE-2026-0599
Unbounded External Image Fetch in Validation Leads to Resour - CVE-2025-11844
XPath Injection in Hugging Face Smolagents search_item_ctrl_ - CVE-2025-6921
Regular Expression Denial of Service (ReDoS) in huggingface/
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2026-1839
No comments yet