InstructLab RCE via malicious HuggingFace model (CVE-2026-6859)

Vendor-confirmed - CVE-2026-6859 is a high remote code execution in InstructLab that grants attackers arbitrary Python code execution by uploading a malicious model to HuggingFace Hub. Users must update to the patched version removing the hardcoded trust_remote_code=True parameter.

Overview

A high-severity vulnerability in InstructLab, identified as CVE-2026-6859, allows for remote code execution. The flaw is located in the linux_train.py script, which automatically loads machine learning models with elevated, unsafe privileges. This configuration enables an attacker to execute arbitrary Python code on a victim’s system.

Vulnerability Details

The core issue is that the linux_train.py script hardcodes the parameter trust_remote_code=True when using the HuggingFace transformers library to download and load models. This setting bypasses critical security safeguards. Normally, loading untrusted code requires explicit user consent, but this hardcoded value removes that protection.

An attacker can exploit this by uploading a specially crafted, malicious model to the public HuggingFace Hub. If a user is tricked into running any of the affected InstructLab commands-ilab train, ilab download, or ilab generate-with this malicious model as a target, the attacker’s embedded code will execute automatically on the user’s machine with the same permissions as the InstructLab process.

Impact and Severity

This vulnerability has a CVSS score of 8.8 (High). The impact is severe:

• Arbitrary Code Execution: An attacker can run any command on the compromised system.
• Full System Compromise: This can lead to data theft, installation of persistent malware, or use of the system as a foothold for further network attacks.
• Low Attack Complexity: Exploitation is straightforward once a malicious model is hosted.
• User Interaction Required: The attack requires a user to execute a command, but no special privileges are needed.

This vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating it is not confirmed to be actively exploited in attacks at this time. However, the public nature of the flaw and available proof-of-concept code significantly raises the risk.

Remediation and Mitigation

The primary mitigation is to update the InstructLab software immediately. The maintainers have released a patched version that removes the hardcoded trust_remote_code parameter.

Action Required:

1. Update InstructLab: Upgrade to the latest patched version as specified in the official vendor advisory. Consult the InstructLab repository or release notes for the specific fixed version.
2. Exercise Caution with Models: Until patched, do not use the ilab command with models from untrusted or unfamiliar sources on HuggingFace Hub.
3. Network Controls: Consider restricting outbound network access from systems running InstructLab to the HuggingFace Hub if model training from external sources is not required.

Security Insight

This vulnerability underscores the growing security risks in the AI/ML supply chain, where trusted public repositories become potential attack vectors. It mirrors historical issues in software package managers (like npm or PyPI), where malicious packages are uploaded to exploit automated tooling. The hardcoded security override represents a significant development oversight, highlighting the need for security-by-default principles in rapidly evolving AI development tools. For context on other systemic security flaws, see related coverage on Nine CrackArmor Flaws in Linux AppArmor and tactics used by threat actors such as China-Linked Hackers.

Further Reading

• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• China-Linked Hackers Use TernDoor, PeerTime, BruteEntry
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs