CVE-2026-44513: Diffusers RCE Bypasses trust_remote_code Flag

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-94
CVE-2026-44513: Diffusers RCE Bypasses trust_remote_code Flag

The National Vulnerability Database has detailed CVE-2026-44513, a critical remote code execution (RCE) vulnerability in Diffusers, a popular library for pretrained diffusion models. Prior to version 0.38.0, the DiffusionPipeline.from_pretrained method contains a trust_remote_code bypass, allowing arbitrary remote code execution even when users explicitly set trust_remote_code=False or omit the parameter entirely (which is the default secure posture).

The vulnerability stems from an architectural flaw: the trust_remote_code gate was implemented within DiffusionPipeline.download() rather than at the actual dynamic-module load site. This allowed several code paths to bypass or short-circuit the download function, effectively circumventing the security check. Specifically, the National Vulnerability Database notes three variants: loading from a custom pipeline where the gate evaluated against the wrong repository, loading from a local snapshot with a remote custom pipeline, or loading from a local snapshot containing custom components referenced in model_index.json.

This flaw means that relying on the trust_remote_code=False setting was insufficient to prevent malicious code execution. Any scenario involving custom pipelines or local snapshots with embedded custom components could lead to RCE if the source was untrusted. The vulnerability has been addressed in Diffusers version 0.38.0, and the National Vulnerability Database assigns it a high CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

What This Means For You

  • If your organization utilizes Diffusers, immediately verify your version. This RCE allows an attacker to execute arbitrary code on your systems by tricking users into loading a malicious model, even if you thought you were safe with `trust_remote_code=False`. Patch to version 0.38.0 or later without delay. Also, audit your model loading practices; assume any model loaded via `from_pretrained` from an untrusted source, especially with custom pipelines or local snapshots, could be compromised if you are running an unpatched Diffusers version.

Related ATT&CK Techniques

T1505.003 Server Software Component Persistence T1204.002 Malicious File Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44513: Diffusers RCE via custom_pipeline bypass

Sigma YAML — free preview 
title: CVE-2026-44513: Diffusers RCE via custom_pipeline bypass
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects the use of the `from_pretrained` method in Diffusers with a `custom_pipeline` argument, which is a primary vector for CVE-2026-44513. This bypasses the `trust_remote_code=False` check by evaluating the security gate against the initial repository rather than the custom one, allowing for arbitrary code execution from a malicious remote repository.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44513/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Python*\python.exe'
      CommandLine|contains:
          - 'diffusers.pipelines.pipeline.Pipeline.from_pretrained'
          - 'custom_pipeline='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44513 RCE Diffusers library versions < 0.38.0
CVE-2026-44513 RCE Vulnerable function: DiffusionPipeline.from_pretrained
CVE-2026-44513 Auth Bypass trust_remote_code bypass in DiffusionPipeline.from_pretrained when trust_remote_code=False
CVE-2026-44513 RCE Arbitrary remote code execution via custom_pipeline parameter with a remote repository (e.g., 'attacker/repoB')
CVE-2026-44513 RCE Arbitrary code execution from local snapshot containing custom component files (e.g., unet/my_unet_model.py) referenced from model_index.json

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-46470 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46470 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-46469 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46469 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

CVE-2026-44542 — FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma