GHSA-98h9-4798-4q5v: Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
Summary
Diffusers, a popular AI library, had a security flaw where the `trust_remote_code` parameter (a safety check to prevent running untrusted code) could be bypassed in three ways when loading models with `DiffusionPipeline.from_pretrained()`. An attacker could execute arbitrary code on a user's machine even when the user explicitly set `trust_remote_code=False` or left it at its default safe setting. The vulnerability affected users loading custom pipelines (external code) or local model snapshots (saved model files).
Solution / Mitigation
Upgrade to diffusers version 0.38.0 or later by running: `pip install --upgrade "diffusers>=0.38.0"`. The fix moves the `trust_remote_code` security check to `get_cached_module_file()` in `src/diffusers/utils/dynamic_modules_utils.py`, which is the actual point where all dynamic modules are loaded. If immediate upgrading is not possible, the source recommends only using `from_pretrained()` with trusted sources, avoiding `custom_pipeline=` parameters pointing to different repositories without inspecting their code first, and manually checking local snapshots for unexpected `.py` files before loading them, though these are only temporary mitigations and not complete fixes.
Vulnerability Details
EPSS: 0.0%
Yes
May 7, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-98h9-4798-4q5v
First tracked: May 7, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%