Hugging Face Transformers RCE flaw enables stealthy compromise via model configs

Researchers at Pluto Security disclosed a high-severity remote code execution vulnerability in Hugging Face Transformers, now tracked as CVE-2026-4372, that lets attackers compromise systems running the popular library to test or deploy AI models. The exploit adds an innocuous-looking parameter, `_attn_implementation_internal`, to a remote model configuration file and bypasses the `trust_remote_code=false` flag that normally prevents execution of remote code — 'no runtime warnings, no consent prompts, no unusual log entries,' the researchers noted.

The blast radius is the alarming part: the Transformers PyPI package is downloaded over 146 million times per month, with 2.2 billion total installs and 161K+ GitHub stars, and it's embedded across enterprise environments and CI/CD pipelines used to fine-tune models on proprietary data. An underscore-prefixed field that 'looks like an internal implementation detail' is exactly the kind of thing config files are full of, making the injection hard to spot in review.

The disclosure underscores escalating AI supply-chain risk, landing the same week Google's Gemma 4 weights shipped on Hugging Face and the local-model movement surged — precisely the workflows that pull untrusted configs from a public hub. It joins demonstrations of self-replicating AI worms and Meta's chatbot account-takeover as a week of AI-security wake-up calls.

For practitioners, the immediate action is upgrading past the affected versions and treating model config files as untrusted code. Watch how quickly the ecosystem patches given how many pipelines pin old Transformers versions, and whether Hugging Face hardens config parsing platform-side.