{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44513","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-06T18:28:20.887Z","datePublished":"2026-05-14T16:26:03.907Z","dateUpdated":"2026-07-15T00:53:37.825Z"},"containers":{"cna":{"title":"Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components","problemTypes":[{"descriptions":[{"cweId":"CWE-94","lang":"en","description":"CWE-94: Improper Control of Generation of Code ('Code Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v","tags":["x_refsource_CONFIRM"],"url":"https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v"}],"affected":[{"vendor":"huggingface","product":"diffusers","versions":[{"version":"< 0.38.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-14T16:26:03.907Z"},"descriptions":[{"lang":"en","value":"Diffusers is the a library for  pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0."}],"source":{"advisory":"GHSA-98h9-4798-4q5v","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-14T17:38:51.150920Z","id":"CVE-2026-44513","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-14T19:51:06.991Z"}},{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-cpu-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"unaffected","packageName":"rhaiis/vllm-cuda-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"unaffected","packageName":"rhaiis/vllm-rocm-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-tpu-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaii/vllm-cpu-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaii/vllm-cuda-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-aws-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-azure-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-gcp-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-openvino-model-server-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-th06-cuda130-torch210-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-th06-cuda130-torch291-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-th06-rocm64-torch291-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-training-cuda128-torch29-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-training-rocm64-torch29-py312-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-05-14T16:26:03.907Z","descriptions":[{"lang":"en","value":"A flaw was found in Diffusers, a library for pretrained diffusion models. A remote attacker could exploit a bypass in the `trust_remote_code` mechanism within the `DiffusionPipeline.from_pretrained` function. This vulnerability allows for arbitrary remote code execution, even when the user explicitly sets `trust_remote_code=False` or omits it. The issue stems from the security check being incorrectly placed, allowing malicious code to be loaded and executed by bypassing the intended security gate."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-44513"},{"name":"RHBZ#2477507","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477507"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44513.json"}],"timeline":[{"lang":"en","time":"2026-05-14T17:02:10.040Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-14T16:26:03.907Z","value":"Made public."}],"title":"Diffusers: Diffusers: Arbitrary remote code execution via `trust_remote_code` bypass","workarounds":[{"lang":"en","value":"Use DiffusionPipeline.from_pretrained() only with model paths, custom pipelines,\nand local snapshots from fully trusted and audited sources. Avoid setting\ncustom_pipeline= to a Hub repository that differs from the primary model path\nunless its pipeline.py has been manually reviewed. When loading a local snapshot, check for unexpected *.py files at the snapshot root and under component subdirectories (unet/, scheduler/, etc.) before calling from_pretrained.\n\nThe only complete fix is upgrading to diffusers 0.38.0."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-15T00:53:37.825Z"}}]}}