CVE-2026-45804 in diffusersinfo

Summary

by MITRE • 07/15/2026

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, Diffusers' DiffusionPipeline.from_pretrained flow can bypass the trust_remote_code guard because download() validates model_index.json and custom pipeline code before later loading from a cached folder that can change, allowing a Hub repository with custom .py pipeline code to execute through the custom pipeline flow without passing custom_pipeline or trust_remote_code=True. This issue is fixed in version 0.38.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability resides in the diffusers library's handling of pretrained diffusion models, specifically within the DiffusionPipeline.from_pretrained functionality that existed prior to version 0.38.0. This security flaw represents a critical bypass of the trust_remote_code safeguard mechanism designed to prevent arbitrary code execution from remote repositories. The issue stems from a fundamental design flaw in how the library validates and loads custom pipeline code, creating a window of opportunity for malicious actors to execute unauthorized code through carefully crafted Hub repositories.

The technical implementation of this vulnerability exploits a race condition between validation and loading phases within the diffusion pipeline architecture. During the initial download phase, the system validates the model_index.json file which contains metadata about the model configuration. However, the custom pipeline code validation occurs before the actual loading process, while the cached folder can be modified between these operations. This discrepancy allows attackers to manipulate the cached files after initial validation but before final execution, effectively circumventing the intended security controls that would normally require explicit trust_remote_code=True or custom_pipeline parameters to be passed during instantiation.

The operational impact of this vulnerability is significant within machine learning and artificial intelligence environments where diffusers library components are commonly deployed. Attackers could potentially compromise systems by uploading malicious .py pipeline code to Hub repositories, which would then execute automatically when users load models through the vulnerable DiffusionPipeline.from_pretrained method. This scenario creates a supply chain attack vector that could affect any application or service utilizing diffusers versions prior to 0.38.0, particularly those in production environments where automated model loading occurs without explicit user interaction to pass trust flags.

The vulnerability aligns with common software security patterns documented in CWE categories such as CWE-470 Unstable References to External Resources and CWE-502 Deserialization of Untrusted Data, where improper handling of external code references leads to unauthorized execution. From an ATT&CK framework perspective, this issue maps to T1059 Command and Scripting Interpreter and T1133 External Remote Services, representing a code injection vulnerability that enables remote code execution through legitimate library interfaces. The fix implemented in version 0.38.0 addresses the core validation timing issue by ensuring consistent validation across all stages of the pipeline loading process, thereby preventing the bypass of trust_remote_code guards.

Organizations utilizing diffusers should immediately upgrade to version 0.38.0 or later to mitigate this vulnerability, while also implementing additional security measures such as network segmentation and code review processes for any custom pipeline modifications. The remediation addresses both the immediate execution vulnerability and broader supply chain security concerns by enforcing consistent validation of remote code references throughout the entire loading lifecycle, aligning with industry best practices for secure software development and deployment in machine learning environments.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!