CVE-2026-44513 - Diffusers trust_remote_code bypass

Diffusers allowed dynamic pipeline or component code to execute even when callers passed trust_remote_code=False or relied on the default. The guard was enforced in DiffusionPipeline.download() rather than at every dynamic module load site, so cross-repository custom_pipeline values and local snapshots with custom components could bypass the trust decision.

This matters anywhere model IDs, pipeline IDs, local model snapshots, or component paths are influenced by users, tenants, jobs, notebooks, queues, datasets, or agent-generated configuration. A dependency bump is necessary, but production remediation should also make model-loading policy explicit.

When to use it

Use this recipe when a Python repository loads Diffusers models, pipelines, or local snapshots and any model identifier, custom_pipeline, component path, or job configuration can be influenced by users, tenants, notebooks, queues, datasets, or agents. It is also useful for model-serving images and GPU worker environments that carry secrets or mounted customer data.

Use it to create a safe loading policy and verification plan. Do not use it to execute untrusted remote or local model code.

Inputs

  • Python dependency files, lockfiles, constraints, notebooks, container images, model-server manifests, SBOMs, and dependency reports that may resolve diffusers.
  • DiffusionPipeline.from_pretrained, AutoPipeline*, custom_pipeline, trust_remote_code, snapshot_download, model_index.json, and local model snapshot call sites.
  • Source classification for model and pipeline inputs: fixed internal config, operator-controlled, user/tenant-supplied, notebook-provided, queued job, dataset-provided, or agent-generated.
  • Approved model registry, artifact-signing, allow-list, cache purge, and rehydration policies for local snapshots and GPU workers.
  • Runtime authority for model loading: cloud credentials, model-provider keys, customer prompts/images, embeddings, mounted volumes, internal networks, and deployment identities.

Affected versions

Package Vulnerable versions Fixed versions
diffusers <0.38.0 0.38.0

Indicator-of-exposure

  • The repository depends on diffusers before 0.38.0.
  • Code calls DiffusionPipeline.from_pretrained, AutoPipeline*, or similar loading helpers with custom_pipeline, local snapshots, local custom components, Hugging Face Hub model IDs, or tenant-supplied paths.
  • Model or pipeline identifiers can come from API requests, UI forms, job specs, notebooks, queues, configuration files, agent outputs, datasets, or workspace files.
  • The runtime has access to cloud credentials, model-provider keys, customer content, GPUs, internal networks, mounted volumes, or deployment secrets.

Quick checks:

rg -n "diffusers|DiffusionPipeline|AutoPipeline|from_pretrained|custom_pipeline|trust_remote_code|model_index\\.json|snapshot_download" .
python -m pip show diffusers
pip freeze | rg '^diffusers=='
uv pip freeze | rg '^diffusers=='

Remediation strategy

  • Upgrade diffusers to 0.38.0+ everywhere the repository controls Python dependencies, images, notebooks, model-serving environments, or batch jobs.
  • Regenerate lockfiles, constraints, image metadata, SBOMs, and deployment manifests.
  • Add a central model-loading policy that denies remote custom pipeline code by default and only permits approved model/pipeline sources.
  • Treat local model snapshots as untrusted unless they come from an approved artifact store and have integrity metadata.
  • Add regression tests that prove trust_remote_code=False blocks unapproved custom_pipeline and local custom-component loads.

The prompt

You are remediating CVE-2026-44513 (Diffusers trust_remote_code bypass via
custom pipelines and local custom components). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Diffusers, centralizes safe
  model-loading policy, adds bypass regression tests, refreshes generated
  artifacts, and documents operator checks, or
- TRIAGE.md if this repository does not own an affected Diffusers runtime or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-44513 and directly related model/pipeline loading.
- Do not execute untrusted remote model code, pipeline code, or local snapshot
  code to prove exposure.
- Do not print, commit, or upload model-provider keys, cloud credentials,
  dataset contents, customer prompts, images, embeddings, or generated media.
- Do not preserve user-controlled `custom_pipeline` behavior without an
  explicit allow-list and tests.
- Do not auto-merge.

## Steps

1. Inventory every Python service, notebook, worker, model server, container,
   lockfile, constraints file, SBOM, and deployment manifest controlled by this
   repository that references `diffusers`.
2. Determine each resolved `diffusers` version. A target is vulnerable if it
   resolves to `<0.38.0`.
3. Search for dynamic pipeline/model loading:
   `DiffusionPipeline.from_pretrained`, `AutoPipeline*`, `custom_pipeline`,
   `trust_remote_code`, `snapshot_download`, local snapshot paths,
   `model_index.json`, and job/config fields that carry model IDs.
4. Identify any user-, tenant-, queue-, notebook-, dataset-, or agent-controlled
   model and pipeline sources. Treat them as untrusted input.
5. Upgrade `diffusers` to `0.38.0+`. Regenerate lockfiles, constraints,
   image metadata, SBOMs, model-server manifests, notebook environment files,
   and dependency reports.
6. Add or update a shared safe-loading helper that:
   - sets `trust_remote_code=False` by default;
   - rejects unapproved `custom_pipeline` values;
   - rejects local custom component files unless the source is approved;
   - validates model IDs or paths against an allow-list or signed artifact
     registry;
   - emits audit logs without secrets or user content.
7. Replace direct vulnerable loading calls with the shared helper where the
   repository owns the call site.
8. Add safe regression tests using local fixtures that do not execute untrusted
   payloads. Tests must prove:
   - cross-repo `custom_pipeline` is rejected when unapproved;
   - local snapshot plus Hub `custom_pipeline` is rejected when unapproved;
   - local snapshots with custom component files are rejected unless approved;
   - approved model loads still work.
9. Add a PR body section named `CVE-2026-44513 operator actions` that states:
   - Diffusers versions before and after;
   - dynamic model-loading call sites changed;
   - approved model/pipeline source policy;
   - whether existing model caches or local snapshots must be purged or
     rehydrated from trusted sources;
   - which jobs or serving environments must be redeployed.
10. Run the relevant validation: Python install, unit tests, model-loading
    tests, lint/typecheck, container build, notebook/environment validation,
    SBOM refresh, and dependency/security scans available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-44513 in Diffusers loading`.

## Stop conditions

- No affected Diffusers runtime or deployable artifact is controlled here.
- All controlled targets already resolve `diffusers >=0.38.0` and generated
  artifacts are current.
- The application intentionally allows arbitrary user-supplied custom pipeline
  code; document the product/security owner decision required before patching.
- Meaningful verification would require executing untrusted remote code or
  exposing production datasets, prompts, images, or credentials.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled environment, lockfile, image, SBOM, or job manifest resolves diffusers <0.38.0.
  • Direct from_pretrained call sites with dynamic inputs route through a policy helper or have explicit source validation.
  • Tests cover cross-repo custom pipelines, local snapshot custom pipelines, and local custom components without executing unsafe payloads.
  • Operator notes cover cache/snapshot cleanup when untrusted local artifacts may already exist.
  • Logs and tests do not leak credentials, prompts, images, or customer data.

Watch for

  • Notebook, worker, or GPU image dependency pins that are separate from the main service lockfile.
  • Model cache volumes that persist unsafe snapshots after the package upgrade.
  • Agent-generated job specs that can set custom_pipeline or model paths.
  • Tests that verify only happy-path model loading and never assert rejection for unapproved dynamic code.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades diffusers to 0.38.0+, routes dynamic model loading through an approved safe-loading helper, rejects unapproved custom pipelines and local custom components, refreshes generated artifacts, and documents cache/snapshot cleanup.
  • TRIAGE.md when no controlled affected Diffusers runtime exists, all controlled deployable artifacts already resolve fixed versions, or the product intentionally permits arbitrary custom pipeline code and needs an owner/security decision.

The output must list changed call sites, dependency versions before/after, approved model-source policy, cache purge requirements, validation commands, and jobs or serving environments to redeploy. It must not include untrusted model code, customer prompts/images, embeddings, credentials, or generated media.

References