CVE-2026-4372 is a confirmed remote code execution vulnerability in Hugging Face’s Transformers library, publicly disclosed on June 4-5, 2026. The Strobes vulnerability database confirms the CVE exists, affects Hugging Face products, has public exploit code available, and has a patch released. Those four facts are confirmed. Everything else in this brief carries a qualified-language flag, technical specifics come from researcher disclosure and haven’t been independently verified from a second source.
The vulnerability sits in the model-loading pipeline. According to Pluto Security’s disclosure, the research team credited with the find, though their primary report hasn’t been independently accessed, the attack vector involves config injection through the `_attn_implementation_internal` parameter, which reportedly allows an attacker to execute arbitrary code during model loading. Critically: this attack reportedly bypasses `trust_remote_code=False`, the setting most teams rely on as their primary defense against malicious model execution.
The `trust_remote_code=False` bypass is the part that matters operationally. Most AI deployment pipelines set that flag and treat it as a hard stop. If the Pluto Security characterization is accurate, the guardrail doesn’t hold against this vector. Teams that have `trust_remote_code=False` set and believe that’s sufficient are carrying unverified risk until they’re on Transformers ≥5.3.0.
CVE-2026-4372 Immediate Action Items
- Check Transformers library version, upgrade to ≥5.3.0
- Audit server logs from Aug 2025–Mar 2026 for anomalous model-loading activity
- Review CI/CD pipeline dependencies for pinned Transformers versions in affected range
- Do not rely on trust_remote_code=False as sole defense pending independent confirmation of bypass claim
- Monitor NVD for official CVSS score finalization
The CVSS severity score is disputed. Pluto Security reportedly assigned a High severity rating, sometimes cited as 8.5. The Strobes database currently shows a score of 0.0, which typically indicates a placeholder where the official score hasn’t been calculated yet rather than an actual assessment of zero severity. The simultaneous “Exploit: Yes” and “Patch: Yes” flags at 0.0 CVSS confirm this is a database gap, not a genuine low-severity finding. The official NVD score is pending finalization. Don’t let the Strobes placeholder create false confidence.
A 232 million figure for downloads of affected versions has circulated in connection with this CVE. That statistic isn’t confirmed from any independently accessible source. The Transformers library is widely deployed, but use the confirmed-unverified label: potentially very large exposure, specific figure not independently verified.
The timeline has three distinct events. Per the Wire’s research: the vulnerability was reportedly introduced in August 2025, silently patched in March 2026 when researchers disclosed it privately to Hugging Face, and publicly disclosed in June 2026 after a standard coordinated disclosure window. If that timeline is accurate, affected environments had a six-month exposure window. Server logs from August 2025 through March 2026 may be worth auditing.
What to watch:
The NVD CVSS finalization is the priority signal. If the official score confirms High or Critical severity, this escalates further. Watch also for whether Pluto Security publishes the full technical disclosure, the technical specifics (version range, exact parameter names, credential theft capability) are all from researcher reports that haven’t been independently verified in .
TJS synthesis:
The `trust_remote_code=False` bypass claim is the operational headline here, not the CVSS number. If you’re running the Transformers library in a GPU inference environment, the version check takes ten minutes. Do it before the official CVSS score lands. This is the third AI developer supply chain security event in roughly ten days, the pattern is worth more than any single CVE, and it’s covered in depth in the companion deep-dive.