GHSA-98h9-4798-4q5v

Source

https://github.com/advisories/GHSA-98h9-4798-4q5v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-98h9-4798-4q5v/GHSA-98h9-4798-4q5v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-98h9-4798-4q5v

Aliases

CVE-2026-44513

Related

CGA-69gx-4592-cv3j

Published

2026-05-07T05:31:17Z

Modified

2026-05-12T04:44:31.276681035Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components

Details

Impact

A trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check:

Cross-repo custom_pipeline. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed.
Local snapshot + Hub custom_pipeline. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed.
Local snapshot with custom components. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed.

Silent remote code execution on the victim's machine. Anyone calling DiffusionPipeline.from_pretrained with custom pipelines is impacted.

Patches

Yes. Fixed in diffusers 0.38.0 via PR #13448. All users on versions < 0.38.0 should upgrade:

pip install --upgrade "diffusers>=0.38.0"

The fix moves the trust_remote_code gate out of DiffusionPipeline.download() and into get_cached_module_file in src/diffusers/utils/dynamic_modules_utils.py, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise ValueError instead of executing untrusted code.

Workarounds

If upgrading immediately is not possible:

Only call from_pretrained with pretrained_model_name_or_path, custom_pipeline, and local snapshot directories from fully trusted sources that have been audited.
Do not pass custom_pipeline= pointing at a Hub repository different from the primary pretrained_model_name_or_path before reading its pipeline.py.
Before calling from_pretrained on a local snapshot, inspect the snapshot for unexpected *.py files, especially under component subdirectories (unet/, scheduler/, etc.) and at the snapshot root.

These are mitigations, not fixes — the only complete remediation is upgrading to 0.38.0.

Resources

Fix: https://github.com/huggingface/diffusers/pull/13448
Original issue: https://github.com/huggingface/diffusers/issues/13446
Release notes: https://github.com/huggingface/diffusers/releases/tag/v0.38.0
CWE-94: https://cwe.mitre.org/data/definitions/94.html

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T05:31:17Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

PyPI / diffusers

Package

Name: diffusers; View open source insights on deps.dev
Purl: pkg:pypi/diffusers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.38.0

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.1.0

0.1.1

0.1.2

0.1.3

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.6.0

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.9.0

0.10.0

0.10.1

0.10.2

0.11.0

0.11.1

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.15.0

0.15.1

0.16.0

0.16.1

0.17.0

0.17.1

0.18.0

0.18.1

0.18.2

0.19.0

0.19.1

0.19.2

0.19.3

0.20.0

0.20.1

0.20.2

0.21.0

0.21.1

0.21.2

0.21.3

0.21.4

0.22.0

0.22.1

0.22.2

0.22.3

0.23.0

0.23.1

0.24.0

0.25.0

0.25.1

0.26.0

0.26.1

0.26.2

0.26.3

0.27.0

0.27.1

0.27.2

0.28.0

0.28.1

0.28.2

0.29.0

0.29.1

0.29.2

0.30.0

0.30.1

0.30.2

0.30.3

0.31.0

0.32.0

0.32.1

0.32.2

0.33.0

0.33.1

0.34.0

0.35.0

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-98h9-4798-4q5v/GHSA-98h9-4798-4q5v.json"