Vulnerability-Lookup

PYSEC-2026-40

Vulnerability from pysec - Published: 2026-05-14 17:16 - Updated: 2026-05-20 09:18

Details

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impacted products

Name	purl
diffusers	pkg:pypi/diffusers

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "diffusers",
        "purl": "pkg:pypi/diffusers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.2",
        "0.0.3",
        "0.0.4",
        "0.1.0",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.11.0",
        "0.11.1",
        "0.12.0",
        "0.12.1",
        "0.13.0",
        "0.13.1",
        "0.14.0",
        "0.15.0",
        "0.15.1",
        "0.16.0",
        "0.16.1",
        "0.17.0",
        "0.17.1",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.19.0",
        "0.19.1",
        "0.19.2",
        "0.19.3",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.20.0",
        "0.20.1",
        "0.20.2",
        "0.21.0",
        "0.21.1",
        "0.21.2",
        "0.21.3",
        "0.21.4",
        "0.22.0",
        "0.22.1",
        "0.22.2",
        "0.22.3",
        "0.23.0",
        "0.23.1",
        "0.24.0",
        "0.25.0",
        "0.25.1",
        "0.26.0",
        "0.26.1",
        "0.26.2",
        "0.26.3",
        "0.27.0",
        "0.27.1",
        "0.27.2",
        "0.28.0",
        "0.28.1",
        "0.28.2",
        "0.29.0",
        "0.29.1",
        "0.29.2",
        "0.3.0",
        "0.30.0",
        "0.30.1",
        "0.30.2",
        "0.30.3",
        "0.31.0",
        "0.32.0",
        "0.32.1",
        "0.32.2",
        "0.33.0",
        "0.33.1",
        "0.34.0",
        "0.35.0",
        "0.35.1",
        "0.35.2",
        "0.36.0",
        "0.37.0",
        "0.37.1",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.5.0",
        "0.5.1",
        "0.6.0",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "0.8.0",
        "0.8.1",
        "0.9.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44513",
    "GHSA-98h9-4798-4q5v"
  ],
  "details": "Diffusers is the a library for  pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause \u2014 the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained(\u0027repoA\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False) \u2014 the gate evaluated against repoA\u0027s file list rather than repoB\u0027s, so repoB\u0027s pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False) \u2014 the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json \u2014 same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.",
  "id": "PYSEC-2026-40",
  "modified": "2026-05-20T09:18:56.669156Z",
  "published": "2026-05-14T17:16:22.903Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-44513 (GCVE-0-2026-44513)

Vulnerability from cvelistv5 – Published: 2026-05-14 16:26 – Updated: 2026-05-14 19:51

Title

Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components

Summary

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/huggingface/diffusers/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
huggingface	diffusers	Affected: < 0.38.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44513",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T17:38:51.150920Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:51:06.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "diffusers",
          "vendor": "huggingface",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.38.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Diffusers is the a library for  pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause \u2014 the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained(\u0027repoA\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False) \u2014 the gate evaluated against repoA\u0027s file list rather than repoB\u0027s, so repoB\u0027s pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False) \u2014 the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json \u2014 same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T16:26:03.907Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v"
        }
      ],
      "source": {
        "advisory": "GHSA-98h9-4798-4q5v",
        "discovery": "UNKNOWN"
      },
      "title": "Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44513",
    "datePublished": "2026-05-14T16:26:03.907Z",
    "dateReserved": "2026-05-06T18:28:20.887Z",
    "dateUpdated": "2026-05-14T19:51:06.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-98H9-4798-4Q5V

Vulnerability from github – Published: 2026-05-07 05:31 – Updated: 2026-05-14 20:53

Summary

Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components

Details

Impact

A trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check:

Cross-repo custom_pipeline. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed.
Local snapshot + Hub custom_pipeline. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed.
Local snapshot with custom components. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed.

Silent remote code execution on the victim's machine. Anyone calling DiffusionPipeline.from_pretrained with custom pipelines is impacted.

Patches

Yes. Fixed in diffusers 0.38.0 via PR #13448. All users on versions < 0.38.0 should upgrade:

pip install --upgrade "diffusers>=0.38.0"

The fix moves the trust_remote_code gate out of DiffusionPipeline.download() and into get_cached_module_file in src/diffusers/utils/dynamic_modules_utils.py, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise ValueError instead of executing untrusted code.

Workarounds

If upgrading immediately is not possible:

Only call from_pretrained with pretrained_model_name_or_path, custom_pipeline, and local snapshot directories from fully trusted sources that have been audited.
Do not pass custom_pipeline= pointing at a Hub repository different from the primary pretrained_model_name_or_path before reading its pipeline.py.
Before calling from_pretrained on a local snapshot, inspect the snapshot for unexpected *.py files, especially under component subdirectories (unet/, scheduler/, etc.) and at the snapshot root.

These are mitigations, not fixes — the only complete remediation is upgrading to 0.38.0.

Resources

Fix: https://github.com/huggingface/diffusers/pull/13448
Original issue: https://github.com/huggingface/diffusers/issues/13446
Release notes: https://github.com/huggingface/diffusers/releases/tag/v0.38.0
CWE-94: https://cwe.mitre.org/data/definitions/94.html

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "diffusers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T05:31:17Z",
    "nvd_published_at": "2026-05-14T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA `trust_remote_code` bypass in `DiffusionPipeline.from_pretrained` allows arbitrary remote code execution despite the user passing `trust_remote_code=False` (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause \u2014 the `trust_remote_code` gate was implemented inside `DiffusionPipeline.download()` rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited `download()` also bypassed the security check:\n\n1. **Cross-repo `custom_pipeline`.** `DiffusionPipeline.from_pretrained(\u0027repoA\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False)` \u2014 the gate evaluated against `repoA`\u0027s file list rather than `repoB`\u0027s, so `repoB`\u0027s `pipeline.py` was loaded and executed.\n2. **Local snapshot + Hub `custom_pipeline`.** `DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, custom_pipeline=\u0027attacker/repoB\u0027, trust_remote_code=False)` \u2014 the local-path branch never invoked `download()`, so the gate was never reached and remote code from `repoB` executed.\n3. **Local snapshot with custom components.** `DiffusionPipeline.from_pretrained(\u0027/local/snapshot\u0027, trust_remote_code=False)` where the snapshot contains custom component files (e.g. `unet/my_unet_model.py`) referenced from `model_index.json` \u2014 same root cause; the local path skipped `download()` and custom component code executed.\n\nSilent remote code execution on the victim\u0027s machine. Anyone calling `DiffusionPipeline.from_pretrained` with custom pipelines is impacted.\n\n### Patches\n\nYes. Fixed in **diffusers 0.38.0** via [PR #13448](https://github.com/huggingface/diffusers/pull/13448). All users on versions `\u003c 0.38.0` should upgrade:\n\n```bash\npip install --upgrade \"diffusers\u003e=0.38.0\"\n```\n\nThe fix moves the `trust_remote_code` gate out of `DiffusionPipeline.download()` and into `get_cached_module_file` in `src/diffusers/utils/dynamic_modules_utils.py`, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise `ValueError` instead of executing untrusted code.\n\n### Workarounds\n\nIf upgrading immediately is not possible:\n\n- Only call `from_pretrained` with `pretrained_model_name_or_path`, `custom_pipeline`, and local snapshot directories from fully trusted sources that have been audited.\n- Do not pass `custom_pipeline=` pointing at a Hub repository different from the primary `pretrained_model_name_or_path` before reading its `pipeline.py`.\n- Before calling `from_pretrained` on a local snapshot, inspect the snapshot for unexpected `*.py` files, especially under component subdirectories (`unet/`, `scheduler/`, etc.) and at the snapshot root.\n\nThese are mitigations, not fixes \u2014 the only complete remediation is upgrading to 0.38.0.\n\n### Resources\n\n- **Fix:** https://github.com/huggingface/diffusers/pull/13448\n- **Original issue:** https://github.com/huggingface/diffusers/issues/13446\n- **Release notes:** https://github.com/huggingface/diffusers/releases/tag/v0.38.0\n- **CWE-94:** https://cwe.mitre.org/data/definitions/94.html",
  "id": "GHSA-98h9-4798-4q5v",
  "modified": "2026-05-14T20:53:29Z",
  "published": "2026-05-07T05:31:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/diffusers/issues/13446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/diffusers/pull/13448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/diffusers/commit/a37f6f8394ac2a7ee8360c3abea811efe54512b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/diffusers"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/diffusers/releases/tag/v0.38.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2026-40

CVE-2026-44513 (GCVE-0-2026-44513)

GHSA-98H9-4798-4Q5V

Impact

Patches

Workarounds

Resources

Tags

Sightings

Nomenclature