CVE-2026-44513: Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.
Security readout for executives and security teams
Plain-English summary
Hugging Face Diffusers before 0.38.0 could run code from a model pipeline even when users set trust_remote_code=False. The issue matters for teams loading community or third-party diffusion models, because a malicious pipeline or local snapshot could execute code during model loading.
Executive priority
Prioritize remediation for ML systems that ingest external models or user-selected repositories. Internal-only, pinned, trusted model workflows have lower urgency but should still upgrade because the default safety flag was bypassable.
Technical view
The trust_remote_code check was enforced in DiffusionPipeline.download(), not at dynamic module loading. Paths using custom_pipeline or local snapshots could avoid that check and load remote or local custom Python components. The advisory states this is fixed in Diffusers 0.38.0.
Likely exposure
Exposure is likely where applications, notebooks, services, or ML workflows use diffusers versions below 0.38.0 and load untrusted custom pipelines, remote repositories, local snapshots, or model_index.json-referenced custom components.
Exploitation context
The bundle does not cite KEV listing or confirmed active exploitation. Exploitation requires a user or application to load a malicious or compromised pipeline or snapshot; CVSS marks user interaction as required.
Researcher notes
Key variants involve custom_pipeline pointing to a second repository, custom_pipeline from a local snapshot, and local snapshots with custom component files. The shared flaw is security enforcement before download rather than at the dynamic import boundary.
Mitigation direction
Upgrade Hugging Face Diffusers to version 0.38.0 or later.
Restrict model loading to trusted, allowlisted repositories and snapshots.
Avoid custom_pipeline from untrusted sources until upgraded and reviewed.
Review vendor guidance for downstream packages and distributions.
Run ML model loading in constrained, least-privilege environments.
Validation and detection
Inventory deployed diffusers package versions across applications and notebooks.
Search code and configs for DiffusionPipeline.from_pretrained usage.
Review use of custom_pipeline and local snapshot loading paths.
Inspect model_index.json references to custom component files.
Check model provenance for recently added third-party repositories or snapshots.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-358: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-358 · source CWE mapping
Improperly Implemented Security Check for Standard
Improperly Implemented Security Check for Standard represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.