HUMAN VERIFICATION REQUIRED, PATCH STATUS: This brief was produced with patch status as of April 28, 2026 (Wire reporting date). Before publishing, confirm current patch status via the GitHub Security Advisory for CVE-2026-25874 and Hugging Face’s LeRobot repository. If a patch has been released, update the brief accordingly. Do not publish “unpatched” as current status without confirmation.
CVE-2026-25874. CVSS 9.3. Hugging Face LeRobot. Unpatched as of April 28, 2026.
That’s the scan line for security teams. Here’s what it means operationally.
The vulnerability involves unsafe pickle deserialization in LeRobot’s async inference pipeline, exposed over gRPC channels without authentication requirements. Pickle deserialization flaws are a well-documented attack class, an attacker who can reach the exposed gRPC endpoint can send a crafted payload that executes arbitrary code on the server. At CVSS 9.3, this is classified Critical, which reflects both the unauthenticated access vector and the full code execution impact. Per the GitHub Security Advisory, the vulnerability is documented in LeRobot’s async inference pipeline specifically.
Interim mitigation (until a patch is confirmed):
Avoid exposing unauthenticated gRPC channels to untrusted networks. If LeRobot’s async inference pipeline is deployed in an environment where the gRPC port is accessible from outside a trusted boundary, production API endpoints, shared research infrastructure, any deployment reachable from a network segment you don’t fully control, that exposure needs to be addressed now. This isn’t a theoretical risk classification. CVSS 9.3 reflects a real attack surface.
This is the second Hugging Face security disclosure in six days. On April 23, CVE-2026-39987 documented an active RCE exploit using Hugging Face infrastructure as command-and-control. That was a different CVE, a different product, a different attack vector. The pattern, two Critical or near-Critical disclosures affecting Hugging Face-hosted tooling in less than a week, is worth tracking for teams that have standardized on the HF ecosystem for open-source AI frameworks.
LeRobot is a robotics AI framework. The async inference pipeline is where control signals flow between perception inputs and actuator outputs in robotic systems. An RCE in that layer isn’t just a data exfiltration risk, in physical deployment contexts, it’s a control plane risk. For teams running LeRobot in research or production environments connected to physical hardware, the exposure surface is broader than a typical API server compromise.
What to watch: whether Hugging Face publishes a patch timeline and whether the CVE entry on NVD is updated with additional technical detail. The GitHub Advisory is the authoritative tracking point, check it directly rather than waiting for secondary coverage to confirm status changes.
The open-source AI framework security posture is an emerging operational risk category. LeRobot is widely used in robotics research. CVE-2026-25874 won’t be the last disclosure in this space.