{"data":{"id":"167acf42-031b-4fdc-b98f-76828c36d559","title":"GHSA-98h9-4798-4q5v: Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components","summary":"Diffusers, a popular AI library, had a security flaw where the `trust_remote_code` parameter (a safety check to prevent running untrusted code) could be bypassed in three ways when loading models with `DiffusionPipeline.from_pretrained()`. An attacker could execute arbitrary code on a user's machine even when the user explicitly set `trust_remote_code=False` or left it at its default safe setting. The vulnerability affected users loading custom pipelines (external code) or local model snapshots (saved model files).","solution":"Upgrade to diffusers version 0.38.0 or later by running: `pip install --upgrade \"diffusers>=0.38.0\"`. The fix moves the `trust_remote_code` security check to `get_cached_module_file()` in `src/diffusers/utils/dynamic_modules_utils.py`, which is the actual point where all dynamic modules are loaded. If immediate upgrading is not possible, the source recommends only using `from_pretrained()` with trusted sources, avoiding `custom_pipeline=` parameters pointing to different repositories without inspecting their code first, and manually checking local snapshots for unexpected `.py` files before loading them, though these are only temporary mitigations and not complete fixes.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-98h9-4798-4q5v","publishedAt":"2026-05-07T05:31:17.000Z","cveId":"CVE-2026-44513","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["diffusers@< 0.38.0 (fixed: 0.38.0)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Hugging Face","diffusers"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-07T05:31:17.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}