Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trustremotecode gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.frompretrained('repoA', custompipeline='attacker/repoB', trustremotecode=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.frompretrained('/local/snapshot', custompipeline='attacker/repoB', trustremotecode=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.frompretrained('/local/snapshot', trustremotecode=False) where the snapshot contains custom component files (e.g. unet/myunetmodel.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44513.json",
"cwe_ids": [
"CWE-94"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:huggingface:diffusers:*:*:*:*:*:python:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.38.0"
}
]
}