{"data":{"id":"938051f2-097b-44e1-b44d-454887a2fe72","title":"Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE","summary":"LeRobot, Hugging Face's open-source robotics platform, has a critical unpatched vulnerability (CVE-2026-25874, CVSS score 9.3) that allows unauthenticated attackers to execute arbitrary code by sending malicious data through unencrypted network connections. The flaw stems from unsafe deserialization (a process of converting data back into code without properly checking if it's trustworthy) using pickle, an unsafe data format, which enables attackers to compromise the server, steal sensitive data, or impact connected robots.","solution":"A fix is planned in version 0.6.0. The LeRobot team acknowledged the issue in January 2026 and noted that the vulnerable part of the codebase will need to be almost entirely refactored.","labels":["security"],"sourceUrl":"https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html","publishedAt":"2026-04-28T11:18:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["model_poisoning"],"issueType":"news","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Hugging Face","LeRobot"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-28T11:18:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability","safety"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}