GHSA-j7w6-vpvq-j3gm: Duplicate Advisory: Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
highvulnerability
security
Source: Hugging Face Security AdvisoriesMay 6, 2026
Summary
The Diffusers library has a vulnerability where arbitrary code can be silently executed when loading a pipeline from HuggingFace Hub, bypassing the `trust_remote_code` security check. An attacker can craft a repository with custom code in a Python file that gets automatically executed during `DiffusionPipeline.from_pretrained()` without requiring the `trust_remote_code=True` parameter or any visible warning, allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Affected Packages
diffusers@< 0.38.0 (fixed: 0.38.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-j7w6-vpvq-j3gm
First tracked: May 7, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%