{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1839", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-02-03T16:49:27.781Z", "datePublished": "2026-04-07T05:22:00.959Z", "dateUpdated": "2026-04-07T13:27:41.789Z"}, "containers": {"cna": {"title": "Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-07T05:22:00.959Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3."}], "affected": [{"vendor": "huggingface", "product": "huggingface/transformers", "versions": [{"version": "unspecified", "lessThan": "v5.0.0rc3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"}, {"url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502"}]}], "source": {"advisory": "3c77bb97-e493-493d-9a88-c57f5c536485", "discovery": "EXTERNAL"}}, "adp": [{"references": [{"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:27:38.099805Z", "id": "CVE-2026-1839", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:27:41.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1839", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T13:27:38.099805Z"}}}], "references": [{"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:27:31.816Z"}}], "cna": {"title": "Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers", "source": {"advisory": "3c77bb97-e493-493d-9a88-c57f5c536485", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "huggingface", "product": "huggingface/transformers", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "v5.0.0rc3", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"}, {"url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-07T05:22:00.959Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1839", "state": "PUBLISHED", "dateUpdated": "2026-04-07T13:27:41.789Z", "dateReserved": "2026-02-03T16:49:27.781Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-04-07T05:22:00.959Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*", "matchCriteriaId": "501E3796-D201-494C-B59D-FA598DC36738", "versionEndExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "70A12094-61B0-49E7-9663-73E5B874E819", "vulnerable": true}, {"criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "424574B4-B321-4D5A-BE48-95A61D9F3752", "vulnerable": true}, {"criteria": "cpe:2.3:a:huggingface:transformers:5.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3F5BCCD-1960-4809-9519-4ADDACAFB3D3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3."}], "id": "CVE-2026-1839", "lastModified": "2026-04-28T16:39:31.917", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.5, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T06:16:41.490", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@huntr.dev", "type": "Secondary"}]}

{"bugzilla": {"description": "transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file", "id": "2455854", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455854"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in HuggingFace Transformers. A remote attacker can exploit this vulnerability by supplying a specially crafted checkpoint file (e.g., `rng_state.pth`). The `_load_rng_state()` method in the `Trainer` class loads this file using `torch.load()` without proper validation, specifically missing the `weights_only=True` parameter. This issue primarily affects systems using PyTorch versions below 2.6. Successful exploitation can lead to arbitrary code execution on the system where the file is loaded."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-1839", "package_state": [{"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-stack", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rag-tool", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-ocp-rag", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rag-tool", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-service", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-cpu-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-cuda-ubi9-3-2-2", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-cuda-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-model-opt-cuda-ubi9-3-2-2", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-model-opt-cuda-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-neuron-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-rocm-ubi9-3-2-2", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-rocm-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-spyre-ubi9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-spyre-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-tpu-ubi9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhaiis-tpu-ubi9-3-3", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-aws-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-azure-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-disk-image-container-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-gcp-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-rocm-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-rocm-azure-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/llama-stack-cpu", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-built-in-detector-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-caikit-nlp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-caikit-tgis-serving-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llm-d-inference-scheduler-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-openvino-model-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-ta-lmes-job-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-cuda121-torch24-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-cuda124-torch25-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-cuda128-torch28-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-rocm62-torch24-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-rocm62-torch25-py311-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-rocm64-torch28-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-training-rocm64-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-07T05:22:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1839\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1839\nhttps://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396\nhttps://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v5.0.0rc3)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "huggingface/transformers", "source": "cna", "vendor": "huggingface"}, "product": "transformers", "vendor": "huggingface"}], "analysis": {"en": {"generated_at": "2026-04-28T21:41:41.651775+00:00", "value": {"mitigation_remediation": ["Update HuggingFace Transformers to version v5.0.0rc3 or later.", "If upgrading cannot be performed immediately, do not load any checkpoint files from untrusted sources.", "When loading checkpoints, enforce weights_only=True or execute the load in a sandboxed environment to limit malicious code execution.", "Verify the integrity of checkpoint files before use and monitor training processes for anomalous behavior."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "All versions of transformers that support torch\u22652.2 and are used with PyTorch below 2.6 are affected. The issue is fixed in version v5.0.0rc3. The affected product is HuggingFace Transformers, a popular open\u2011source library for natural language processing.", "description_and_impact": "A vulnerability exists in the HuggingFace Transformers library\u2019s Trainer class where a call to torch.load() in the _load_rng_state() method omits the weights_only=True parameter, enabling arbitrary code execution when a malicious checkpoint file is loaded. The flaw is attributable to CWE-502. An attacker who can supply a crafted checkpoint can execute code on the system executing the trainer, potentially compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS base score of 7.8 reflects a high severity, and the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation on the global scale; it is not listed in CISA\u2019s KEV catalog. The attack requires an attacker to supply a malicious checkpoint file, usually through an untrusted model or data source, so the primary vectors are compromised model artifacts or data pipelines. Because the flaw manifests during model checkpoint loading, it can be mitigated by ensuring only trusted checkpoint files are used and by applying the vendor patch. The overall risk is moderate to high for organizations that routinely load external checkpoints and therefore should act promptly."}}}}, "created": "2026-04-08T19:50:05.795036+00:00", "updated": "2026-04-28T21:45:26.150017+00:00", "vendors": ["huggingface", "huggingface$PRODUCT$transformers"]}