Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

2026-04-28

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A critical vulnerability (CVE-2026-25874, CVSS 9.3) in Hugging Face's LeRobot enables unauthenticated remote code execution via unsafe pickle deserialization.

•Unsafe pickle.loads() on unauthenticated gRPC channels in the async inference PolicyServer
•Attackers send malicious payloads via SendPolicyInstructions, SendObservations, or GetActions
•Unpatched as of April 2026, fix planned for version 0.6.0, validated on version 0.4.3
•Enables arbitrary code execution, data theft, lateral movement, and service disruption

This summary was automatically generated by AI based on the original article and may not be fully accurate.

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Building a safe, effective sandbox to enable Codex on Windows

Mitigate credential exposure in Windows environments with Boundary and Vault

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

[Webinar] Why Your AppSec Tools Miss the "Lethal Path" (and How to Fix It)