CVE-2026-46432

Source
https://cve.org/CVERecord?id=CVE-2026-46432
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46432.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46432
Aliases
Published
2026-06-09T23:05:38.876Z
Modified
2026-07-08T08:13:37.361375635Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
Details

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trustremotecode=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46432.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/internlm/lmdeploy

Affected ranges

Type
GIT
Repo
https://github.com/internlm/lmdeploy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.12.3"
        }
    ]
}

Affected versions

0.*
0.6.5
v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.0a0
v0.1.0a1
v0.1.0a2
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.2.post1
v0.5.3
v0.6.0
v0.6.0a0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.0.post1
v0.7.0.post2
v0.7.0.post3
v0.7.1
v0.7.2
v0.7.2.post1
v0.8.0
v0.9.0
v0.9.1
v0.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46432.json"