HIGH 7.8

CVE-2026-46517: LMDeploy Supply-Chain RCE via Hardcoded Trust Settings

LMDeploy, a toolkit for compressing and deploying large language models, contains a critical flaw in versions 0.12.3 and earlier. The tool automatically trusts code downloaded from Hugging Face without asking users for permission. This "trust by default" setting allows attackers to inject malicious code into the supply chain—if a model or dependency on Hugging Face is compromised, LMDeploy will execute that code automatically on any system using the toolkit. No patches are currently available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-1188, CWE-915, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46517 stems from hardcoded `trust_remote_code=True` in LMDeploy's code-loading pipeline. The vulnerability permits arbitrary remote code execution (RCE) when LMDeploy loads models or dependencies from Hugging Face Hub without cryptographic verification or user consent. The issue affects the supply chain at the point where untrusted serialized model artifacts are deserialized and executed. This is not a typical network-based attack surface; rather, it represents a silent privilege escalation path for attackers who can compromise upstream artifacts on Hugging Face or intercept model downloads.

Business impact

Organizations using LMDeploy to deploy or serve LLMs face supply-chain compromise risk. A successful attack could lead to unauthorized code execution with the privileges of the LMDeploy process, potentially compromising model inference servers, training pipelines, or downstream applications that depend on LMDeploy outputs. For teams running LMDeploy in containerized or cloud environments, this could facilitate lateral movement, data exfiltration, or persistence. The lack of an available patch means vulnerable deployments remain at risk until mitigation or version upgrades are possible.

Affected systems

All installations of LMDeploy version 0.12.3 and prior are affected. Users who rely on LMDeploy to load models from Hugging Face Hub, or who integrate LMDeploy into CI/CD pipelines for model serving, are at highest risk. The vulnerability does not require network exposure; local or container-based deployments are vulnerable if they fetch remote models.

Exploitability

Exploitation requires either: (1) compromise of a Hugging Face repository or model card that a target organization uses, or (2) man-in-the-middle interception of model downloads. While the latter is unlikely on HTTPS, the former is plausible in supply-chain scenarios where models are publicly shared, dependencies are third-party, or access controls on Hugging Face accounts are weak. The attack is not trivial in its execution but is high-impact once successful; user interaction is required only in the sense that an administrator must invoke LMDeploy to load a compromised artifact.

Remediation

Users should immediately upgrade LMDeploy to a version later than 0.12.3 when patches become available. Until then, mitigations include: (1) restricting Hugging Face model sources to internally vetted or self-hosted repositories, (2) disabling direct internet access from LMDeploy processes and performing offline model caching, (3) running LMDeploy in least-privilege containers with minimal filesystem and network permissions, and (4) auditing all model and dependency sources for integrity using checksums or cryptographic signatures where available.

Patch guidance

At time of publication, no patches have been released. Monitor LMDeploy's official GitHub repository and release notes for version updates beyond 0.12.3. When a patch is available, prioritize immediate deployment in development and staging environments to verify compatibility before rolling out to production inference servers. Consider establishing a process to pin LMDeploy versions and require security review before upgrades to catch any potential breakages.

Detection guidance

Monitor LMDeploy process executions for unexpected child processes or network connections that deviate from normal model-loading behavior. Log all model downloads from Hugging Face, including URLs, timestamps, and file hashes. Use endpoint detection and response (EDR) tools to flag any unusual behavior in LMDeploy runtime contexts. Additionally, audit Hugging Face account access logs and model repository history to detect unauthorized modifications. Implement Software Bill of Materials (SBOM) scanning to track LMDeploy versions across your infrastructure.

Why prioritize this

This vulnerability merits high priority despite lack of in-the-wild exploitation because: (1) the attack surface is the software supply chain, where a single compromise can affect many downstream users; (2) the absence of patches creates an extended window of exposure; (3) organizations may not even be aware they are running vulnerable versions; and (4) the user-interaction requirement is minimal—simply loading a model triggers the flaw. Teams deploying LLMs in regulated or high-security environments should treat this as urgent.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects high impact (confidentiality, integrity, and availability all affected) and local attack vector. The score does not fully capture supply-chain risk or the fact that no patches exist; however, the underlying technical severity is significant. Organizations should consider this a baseline and adjust upward if they rely heavily on Hugging Face models or maintain public-facing LLM services.

Frequently asked questions

Do I need internet access for LMDeploy to be vulnerable?

No. The vulnerability is triggered when LMDeploy loads models or code from Hugging Face Hub—this can happen during deployment, initialization, or at runtime. If your LMDeploy instance fetches models from Hugging Face, you are at risk regardless of whether the final inference service is exposed to the internet.

Can I safely use LMDeploy 0.12.3 if I only use local models I built myself?

If you exclusively load models from your local filesystem and never reference Hugging Face Hub, your risk is substantially lower. However, check your configuration carefully: some LMDeploy pipelines may download dependencies or model components from Hugging Face transparently. Review all model-loading code paths and configuration files to be certain.

What should I do if I cannot upgrade immediately?

Implement network segmentation to prevent LMDeploy processes from reaching Hugging Face Hub or other untrusted sources. Run LMDeploy in a container with strict AppArmor or SELinux policies to limit the impact of code execution. Pre-download and cache all required models on an internal server, then configure LMDeploy to load only from that source. These measures reduce but do not eliminate risk.

How does this compare to other supply-chain vulnerabilities in AI tooling?

This is similar to attacks on other open-source ML frameworks that deserialize untrusted data. The key difference is that LMDeploy's hardcoded trust setting bypasses any user decision point. Many other tools require explicit configuration to load remote code; here, the dangerous behavior is the default, making it easier for inexperienced users to unknowingly expose themselves.

This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations must conduct their own risk assessment and validate all remediation steps in test environments before production deployment. Patch availability and vulnerability details may change; consult the official LMDeploy repository and security advisories for the most current information. No exploit code or detailed attack procedures are included in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).