CVE-2026-46517: lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out

📋 Reframing (2026-05-02): implicit unsafe remote-code path, not “supply-chain”

The accurate description of this vulnerability is: "get_model_arch and related helpers hardcode trust_remote_code=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch."

What this report does NOT claim:

• It is NOT a network-attack RCE — the user supplies the model reference; LMDeploy honors it.
• It is NOT a “supply chain” CVE in the classical sense (where a benign upstream is compromised) — the user explicitly types the repo name.

What this report DOES claim:

• Other inference frameworks (vLLM, TGI, Hugging Face transformers itself) all expose --trust-remote-code as opt-in so that users who consciously load known-safe repos can opt in, while users following a tutorial cannot accidentally execute attacker Python by typing a wrong repo name.
• LMDeploy’s hardcoded True is an implicit trust-boundary override that violates HF Transformers’ default-secure stance (trust_remote_code=False since transformers ≥ 4.30).
• The fix is a one-line CLI flag (--trust-remote-code) defaulting False, threaded through the three sites, matching the rest of the ecosystem.

Severity should be assessed as hardening / safe-by-default, not as full unauthenticated RCE. CVSS revised to 5.5 Medium (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H × user-must-load qualifier).

Runtime evidence: see 12_lmdeploy_trust_remote_code_F13/runtime_evidence/cloudrun_cpu_verdict.txt.