CVE-2026-44827: Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
(updated )
The vulnerability is a silent RCE - it allows arbitrary code to be loaded through the custom_pipeline flow from a Hub repo, with no custom_pipeline or trust_remote_code kwargs and nothing suspicious in the config. The from_pretrained call succeeds and returns a functional pipeline.
References
- github.com/advisories/GHSA-j7w6-vpvq-j3gm
- github.com/huggingface/diffusers
- github.com/huggingface/diffusers/commit/a37f6f8394ac2a7ee8360c3abea811efe54512b1
- github.com/huggingface/diffusers/pull/13448
- github.com/huggingface/diffusers/releases/tag/v0.38.0
- github.com/huggingface/diffusers/security/advisories/GHSA-j7w6-vpvq-j3gm
- nvd.nist.gov/vuln/detail/CVE-2026-44827
Code Behaviors & Features
Detect and mitigate CVE-2026-44827 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →