HIGH 7.8

CVE-2026-46432: LMDeploy Arbitrary Code Execution via Hardcoded Remote Code Trust

LMDeploy, a toolkit for deploying and serving large language models, contains a critical flaw in how it loads models from HuggingFace. The toolkit automatically enables a dangerous feature called "trust_remote_code" without user awareness or consent. This setting allows arbitrary Python code embedded in model files to execute during loading. An attacker who controls or compromises a model file on HuggingFace can inject malicious code that runs with the privileges of the LMDeploy process. Versions 0.12.3 and earlier are affected, and no public patches exist as of publication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46432 exploits CWE-94 (Improper Control of Generation of Code) by hardcoding trust_remote_code=True across multiple HuggingFace model-loading call sites in LMDeploy. The HuggingFace transformers library uses this flag to determine whether to deserialize and execute custom code objects stored in model configurations or pickled weights. By default, this flag should be False to prevent untrusted model files from executing arbitrary code. LMDeploy's unconditional enablement of this flag eliminates the user's ability to make a security decision and creates an implicit chain of trust from LMDeploy to any model accessible via HuggingFace, including community-contributed models. An attacker positioning a malicious model on HuggingFace or intercepting model downloads can achieve remote code execution in the context of the LMDeploy process.

Business impact

Organizations using LMDeploy to deploy and serve large language models face direct risk of compromise through model supply-chain attacks. A malicious or compromised model can execute code with the privileges of the LMDeploy service, potentially leading to data exfiltration, lateral movement, model tampering, or service disruption. For teams using LMDeploy in production inference pipelines, this vulnerability allows an attacker to gain a foothold on the deployment infrastructure without requiring authentication or exploiting additional vulnerabilities. The impact scales with deployment scale—compromising a shared LMDeploy service affects all downstream applications consuming that service.

Affected systems

LMDeploy versions 0.12.3 and prior are vulnerable. Any deployment or development environment running these versions is at risk when loading models from HuggingFace or other remote sources. The vulnerability is particularly acute in shared deployment environments where multiple users or services rely on the same LMDeploy instance, as well as in CI/CD pipelines that automatically fetch and serve new models without human review.

Exploitability

This vulnerability requires local or network access to invoke LMDeploy's model-loading functions. An attacker must either have direct access to the system running LMDeploy (local exploitation) or be able to influence which model gets loaded (supply-chain or MITM vector). The attack does not require user interaction or special privileges beyond the ability to trigger a model load operation. Because many LMDeploy deployments load models automatically on startup or via API calls, the barrier to exploitation is low once an attacker can influence model selection or compromise the HuggingFace account hosting a model.

Remediation

Immediately cease use of LMDeploy 0.12.3 and prior in environments where remote model loading is enabled or where model sources are not fully controlled. Monitor the LMDeploy project for patched versions that disable trust_remote_code by default or require explicit, logged user approval. Until patches are available, restrict model loading to locally vetted and audited model files, implement strict network segmentation to prevent unauthorized model downloads, and enforce code review of any custom model configurations before deployment.

Patch guidance

At the time of publication (2026-06-17), no public patches are available. Security teams should subscribe to LMDeploy's release notes and security advisories for patch availability. When a patched version is released, verify that it explicitly disables trust_remote_code by default in all HuggingFace model-loading call sites and requires explicit user configuration to enable code execution from remote models. Test patches in a staging environment before production deployment to ensure they do not break existing model-loading workflows.

Detection guidance

Audit LMDeploy process execution and logging to identify model load operations, particularly those involving remote or community-contributed models from HuggingFace. Monitor for unexpected child processes or network connections spawned by LMDeploy services following model load events. Check deployment configurations and scripts for hardcoded references to models on HuggingFace and review which versions of LMDeploy are deployed across your environment. Network-level detection should flag attempts to download models from unexpected HuggingFace accounts or unusual model sources.

Why prioritize this

This vulnerability merits high priority because it affects the integrity and confidentiality of machine learning inference infrastructure, enables supply-chain attack vectors, and lacks public patches. The CVSS 7.8 score reflects the combination of local/network attack surface, high impact (code execution with process privileges), and the critical role LMDeploy plays in production AI systems. Organizations with LMDeploy in production should prioritize mitigation or version upgrades as patches become available.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects a low attack complexity (simple model load operation), low privilege requirement (user running LMDeploy), and high impact across confidentiality, integrity, and availability. The attack vector is listed as local (AV:L), but in cloud and containerized deployments, this can extend to network scope. The scoring appropriately captures the severity of arbitrary code execution in a critical infrastructure component, balanced against the requirement for some level of access to trigger the vulnerable code path.

Frequently asked questions

What should we do if we are using LMDeploy 0.12.3 or earlier in production?

Immediately assess whether you are loading models from remote sources (HuggingFace) or only from local, audited repositories. If remote model loading is enabled, implement compensating controls: restrict network access to prevent unauthorized model downloads, run LMDeploy in a sandboxed or containerized environment with minimal privileges, and manually audit any models before loading. Monitor the LMDeploy project for patch releases and plan an upgrade. If feasible, migrate to alternative model-serving solutions that default to secure code-execution settings.

Does this vulnerability affect LMDeploy if we only load local models we have audited ourselves?

The vulnerability is inherent to the code (hardcoded trust_remote_code=True), so the risk is eliminated only if you guarantee that all model files loaded are from trusted, local sources and have been manually reviewed for embedded code. Even then, if LMDeploy is ever misconfigured or if model paths are controlled by untrusted input, the exposure remains. We recommend upgrading to a patched version once available rather than relying on operational controls alone.

Can we simply disable the HuggingFace integration in LMDeploy to mitigate this?

Check your LMDeploy configuration for options to disable remote model loading or to override the trust_remote_code flag. Depending on the version and configuration interface, this may be possible, but it is not a guarantee that the hardcoded setting is bypassed. Consult the LMDeploy documentation and source code for your specific version to confirm. This is a temporary mitigation; patched versions should be deployed when available.

Why is this vulnerability not yet on the KEV catalog?

The KEV (Known Exploited Vulnerabilities) catalog tracks vulnerabilities that are actively exploited in the wild and have reached a certain threshold of prevalence or threat actor activity. At the time of publication, CVE-2026-46432 had no public exploitation reports. However, this does not diminish its severity—supply-chain vulnerabilities in AI infrastructure often remain quietly exploited for longer periods before detection. Treat this as high-priority based on its CVSS score, attack surface, and lack of patches, regardless of KEV status.

This analysis is provided for informational purposes and represents the state of publicly available information as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of patch availability or vendor response timelines. Organizations should verify all technical details against official vendor advisories and conduct their own risk assessments. Exploitability may vary based on deployment architecture, access controls, and network configuration. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).