CVE-2026-44513 - Diffusers trust_remote_code bypass
Diffusers allowed dynamic pipeline or component code to execute even when
callers passed trust_remote_code=False or relied on the default. The guard
was enforced in DiffusionPipeline.download() rather than at every dynamic
module load site, so cross-repository custom_pipeline values and local
snapshots with custom components could bypass the trust decision.
This matters anywhere model IDs, pipeline IDs, local model snapshots, or component paths are influenced by users, tenants, jobs, notebooks, queues, datasets, or agent-generated configuration. A dependency bump is necessary, but production remediation should also make model-loading policy explicit.
When to use it
Use this recipe when a Python repository loads Diffusers models, pipelines, or
local snapshots and any model identifier, custom_pipeline, component path, or
job configuration can be influenced by users, tenants, notebooks, queues,
datasets, or agents. It is also useful for model-serving images and GPU worker
environments that carry secrets or mounted customer data.
Use it to create a safe loading policy and verification plan. Do not use it to execute untrusted remote or local model code.
Inputs
- Python dependency files, lockfiles, constraints, notebooks, container images,
model-server manifests, SBOMs, and dependency reports that may resolve
diffusers. DiffusionPipeline.from_pretrained,AutoPipeline*,custom_pipeline,trust_remote_code,snapshot_download,model_index.json, and local model snapshot call sites.- Source classification for model and pipeline inputs: fixed internal config, operator-controlled, user/tenant-supplied, notebook-provided, queued job, dataset-provided, or agent-generated.
- Approved model registry, artifact-signing, allow-list, cache purge, and rehydration policies for local snapshots and GPU workers.
- Runtime authority for model loading: cloud credentials, model-provider keys, customer prompts/images, embeddings, mounted volumes, internal networks, and deployment identities.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
diffusers |
<0.38.0 |
0.38.0 |
Indicator-of-exposure
- The repository depends on
diffusersbefore0.38.0. - Code calls
DiffusionPipeline.from_pretrained,AutoPipeline*, or similar loading helpers withcustom_pipeline, local snapshots, local custom components, Hugging Face Hub model IDs, or tenant-supplied paths. - Model or pipeline identifiers can come from API requests, UI forms, job specs, notebooks, queues, configuration files, agent outputs, datasets, or workspace files.
- The runtime has access to cloud credentials, model-provider keys, customer content, GPUs, internal networks, mounted volumes, or deployment secrets.
Quick checks:
rg -n "diffusers|DiffusionPipeline|AutoPipeline|from_pretrained|custom_pipeline|trust_remote_code|model_index\\.json|snapshot_download" .
python -m pip show diffusers
pip freeze | rg '^diffusers=='
uv pip freeze | rg '^diffusers=='
Remediation strategy
- Upgrade
diffusersto0.38.0+everywhere the repository controls Python dependencies, images, notebooks, model-serving environments, or batch jobs. - Regenerate lockfiles, constraints, image metadata, SBOMs, and deployment manifests.
- Add a central model-loading policy that denies remote custom pipeline code by default and only permits approved model/pipeline sources.
- Treat local model snapshots as untrusted unless they come from an approved artifact store and have integrity metadata.
- Add regression tests that prove
trust_remote_code=Falseblocks unapprovedcustom_pipelineand local custom-component loads.
The prompt
You are remediating CVE-2026-44513 (Diffusers trust_remote_code bypass via
custom pipelines and local custom components). Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Diffusers, centralizes safe
model-loading policy, adds bypass regression tests, refreshes generated
artifacts, and documents operator checks, or
- TRIAGE.md if this repository does not own an affected Diffusers runtime or
cannot make a safe patch.
## Rules
- Scope only CVE-2026-44513 and directly related model/pipeline loading.
- Do not execute untrusted remote model code, pipeline code, or local snapshot
code to prove exposure.
- Do not print, commit, or upload model-provider keys, cloud credentials,
dataset contents, customer prompts, images, embeddings, or generated media.
- Do not preserve user-controlled `custom_pipeline` behavior without an
explicit allow-list and tests.
- Do not auto-merge.
## Steps
1. Inventory every Python service, notebook, worker, model server, container,
lockfile, constraints file, SBOM, and deployment manifest controlled by this
repository that references `diffusers`.
2. Determine each resolved `diffusers` version. A target is vulnerable if it
resolves to `<0.38.0`.
3. Search for dynamic pipeline/model loading:
`DiffusionPipeline.from_pretrained`, `AutoPipeline*`, `custom_pipeline`,
`trust_remote_code`, `snapshot_download`, local snapshot paths,
`model_index.json`, and job/config fields that carry model IDs.
4. Identify any user-, tenant-, queue-, notebook-, dataset-, or agent-controlled
model and pipeline sources. Treat them as untrusted input.
5. Upgrade `diffusers` to `0.38.0+`. Regenerate lockfiles, constraints,
image metadata, SBOMs, model-server manifests, notebook environment files,
and dependency reports.
6. Add or update a shared safe-loading helper that:
- sets `trust_remote_code=False` by default;
- rejects unapproved `custom_pipeline` values;
- rejects local custom component files unless the source is approved;
- validates model IDs or paths against an allow-list or signed artifact
registry;
- emits audit logs without secrets or user content.
7. Replace direct vulnerable loading calls with the shared helper where the
repository owns the call site.
8. Add safe regression tests using local fixtures that do not execute untrusted
payloads. Tests must prove:
- cross-repo `custom_pipeline` is rejected when unapproved;
- local snapshot plus Hub `custom_pipeline` is rejected when unapproved;
- local snapshots with custom component files are rejected unless approved;
- approved model loads still work.
9. Add a PR body section named `CVE-2026-44513 operator actions` that states:
- Diffusers versions before and after;
- dynamic model-loading call sites changed;
- approved model/pipeline source policy;
- whether existing model caches or local snapshots must be purged or
rehydrated from trusted sources;
- which jobs or serving environments must be redeployed.
10. Run the relevant validation: Python install, unit tests, model-loading
tests, lint/typecheck, container build, notebook/environment validation,
SBOM refresh, and dependency/security scans available in this repository.
11. Use PR title:
`fix(sec): remediate CVE-2026-44513 in Diffusers loading`.
## Stop conditions
- No affected Diffusers runtime or deployable artifact is controlled here.
- All controlled targets already resolve `diffusers >=0.38.0` and generated
artifacts are current.
- The application intentionally allows arbitrary user-supplied custom pipeline
code; document the product/security owner decision required before patching.
- Meaningful verification would require executing untrusted remote code or
exposing production datasets, prompts, images, or credentials.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled environment, lockfile, image, SBOM, or job manifest resolves
diffusers <0.38.0. - Direct
from_pretrainedcall sites with dynamic inputs route through a policy helper or have explicit source validation. - Tests cover cross-repo custom pipelines, local snapshot custom pipelines, and local custom components without executing unsafe payloads.
- Operator notes cover cache/snapshot cleanup when untrusted local artifacts may already exist.
- Logs and tests do not leak credentials, prompts, images, or customer data.
Watch for
- Notebook, worker, or GPU image dependency pins that are separate from the main service lockfile.
- Model cache volumes that persist unsafe snapshots after the package upgrade.
- Agent-generated job specs that can set
custom_pipelineor model paths. - Tests that verify only happy-path model loading and never assert rejection for unapproved dynamic code.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades
diffusersto0.38.0+, routes dynamic model loading through an approved safe-loading helper, rejects unapproved custom pipelines and local custom components, refreshes generated artifacts, and documents cache/snapshot cleanup. TRIAGE.mdwhen no controlled affected Diffusers runtime exists, all controlled deployable artifacts already resolve fixed versions, or the product intentionally permits arbitrary custom pipeline code and needs an owner/security decision.
The output must list changed call sites, dependency versions before/after, approved model-source policy, cache purge requirements, validation commands, and jobs or serving environments to redeploy. It must not include untrusted model code, customer prompts/images, embeddings, credentials, or generated media.
Related recipes
- Artifact cache purge
- CVE-2026-27893 - vLLM trust_remote_code bypass
- Source-code supply chain build integrity audit
References
- GitHub Advisory: https://github.com/advisories/GHSA-98h9-4798-4q5v
- Diffusers advisory: https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v
- GitLab Advisory Database: https://advisories.gitlab.com/pypi/diffusers/CVE-2026-44513/
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-44513