Diffusers RCE: Hugging Face Pipeline Loading Bypasses `trust_remote_code`

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-94
Diffusers RCE: Hugging Face Pipeline Loading Bypasses `trust_remote_code`

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-44827 with a CVSS score of 8.8 (HIGH), has been identified in the Diffusers library prior to version 0.38.0. This flaw allows attackers to achieve arbitrary code execution when users load pipelines from Hugging Face Hub repositories, even without explicitly setting trust_remote_code=True.

The vulnerability, detailed by the National Vulnerability Database, lies within the _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py. This function performs string interpolation on the custom_pipeline parameter. When this parameter is not supplied by the user, it defaults to None, which Python interpolates as the literal string “None.py”. An attacker can exploit this by publishing a malicious Hub repository containing a None.py file with a class that subclasses DiffusionPipeline.

During a standard DiffusionPipeline.from_pretrained() call, if no custom_pipeline keyword argument is provided, the malicious None.py file is automatically downloaded and executed. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it incorrectly evaluates custom_pipeline is not None as False, while the downstream code correctly resolves None into a valid filename. This allows for silent arbitrary code execution, requiring only that a victim calls from_pretrained on the attacker’s repository.

What This Means For You

  • If your development or research team uses the Diffusers library, you are exposed to silent remote code execution. This isn't theoretical; an attacker can craft a malicious model on Hugging Face Hub, and a standard `from_pretrained()` call will execute their code. Immediately upgrade Diffusers to version 0.38.0 or later. Audit any existing models loaded from public repositories for unexpected `None.py` files or unusual behavior.

Related ATT&CK Techniques

T1505.003 Server Software Component Initial Access T1059.001 PowerShell Execution T1204.002 Malicious File Execution

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1505.003 Persistence

Web Shell Activity Detection — CVE-2026-44827

Sigma YAML — free preview 
title: Web Shell Activity Detection — CVE-2026-44827
id: scw-2026-05-14-1
status: experimental
level: high
description: |
  Detects potential web shell interaction patterns following the CVE-2026-44827 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44827/
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
    category: webserver
detection:
  selection:
      cs-uri|endswith:
        - '.php'
        - '.jsp'
        - '.aspx'
        - '.ashx'
      cs-uri-query|contains:
        - 'cmd='
        - 'exec='
        - 'shell'
        - 'upload'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-44827

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44827 Vulnerability CVE-2026-44827

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-46470 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46470 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-46469 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46469 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

CVE-2026-44542 — FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma