Technical description
In HuggingFace Transformers version 5.2.0, the LightGlue model loading path reads the trust_remote_code value from the untrusted config.json file and propagates it into nested AutoConfig.from_pretrained() calls. When a victim loads a LightGlue model with AutoModel.from_pretrained() explicitly passing trust_remote_code=False, the nested call overrides the victim's intent with the attacker-controlled value from the model repository's config, executing attacker-provided Python modules. Affects API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers.
Attack vector
Attacker publishes a malicious model repository on HuggingFace Hub (or any accessible registry) containing a config.json that sets trust_remote_code=True. When a victim loads the model with trust_remote_code=False, the nested config override executes the attacker's code at model initialisation time — no prompt or inference required.
Affected systems
HuggingFace Transformers 5.2.0; any workflow using AutoModel.from_pretrained() with LightGlue model architectures from untrusted repositories.
Mitigation
Upgrade HuggingFace Transformers beyond 5.2.0 once a patched release is available (CVE published 2026-06-03; monitor the HuggingFace Transformers GitHub release notes). In the interim, load LightGlue models only from fully-trusted, vendor-verified repositories; scan model config.json files before loading for unexpected trust_remote_code=True values; isolate model loading in sandboxed environments where possible.