{"id":737,"date":"2026-04-28T11:53:01","date_gmt":"2026-04-28T11:53:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=737"},"modified":"2026-04-28T11:53:01","modified_gmt":"2026-04-28T11:53:01","slug":"critical-unpatched-flaw-leaves-hugging-face-lerobot-open-to-unauthenticated-rce","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=737","title":{"rendered":"Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 28, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Network Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_yhcF_ELr7WEtcfHJTj6KXaci5hMzJMQzWlKpRwmiUDUDlRiLn5kZFpj4JkLxrqw0JBajNTAmlAxzIkQytW333ZnGJBKeGY-rBsLLrCPqATNkq3TvcBRbi61oogxsv5Z1a2REm5g7cpgfqKq_fnr2B1O1tPHDckGGiBA7YZY0Jcl7nWIzqaDYFGqEm3nZ\/s1700-e365\/lerobots.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have disclosed details of a critical security flaw impacting <a href=\"https:\/\/arxiv.org\/abs\/2602.22818\">LeRobot<\/a>, Hugging Face&#8217;s open-source robotics platform with <a href=\"https:\/\/github.com\/huggingface\/lerobot\">nearly 24,000 GitHub stars<\/a>, that could be exploited to achieve remote code execution.<\/p>\n<p>The vulnerability in question is <strong>CVE-2026-25874<\/strong> (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the unsafe pickle format.<\/p>\n<p>\u00abLeRobot contains an unsafe deserialization vulnerability in the async inference pipeline, where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components,\u00bb according to a <a href=\"https:\/\/github.com\/advisories\/GHSA-f7vj-73pm-m822\">GitHub advisory<\/a> for the flaw.<\/p>\n<p>\u00abAn unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-agentic-guide-d-3\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKLSgj9Smgyqpn4Kj-zAzWxJG1LUku8TpOERMxD6_hmMZQtXRFYXU-NA2ocnjrRafjkLtrxujKRuBstSZ4Il5z6hOu4oa7UM1FjkNoRQqrF5MWlShygYIqpnMGxHX2RHEBh9Y40x-p4PKn3cSlaWTEwKiVBDSoJgLPzR09dmp8HBffLlIqro73HVD30D00\/s728-e100\/nudge-d-3.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>According to Resecurity, the problem is <a href=\"https:\/\/www.resecurity.com\/blog\/article\/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization\">rooted<\/a> in the async inference PolicyServer component, allowing an unauthenticated attacker who can reach the PolicyServer network port to send a malicious serialized payload and run arbitrary operating system commands on the host machine running the service.<\/p>\n<p><a name=\"more\"\/><\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjYAEm0hY3IRrDsmM7sah0UzJr8OJnL2P2SGieeeuN58sduY8KENYH5ckHduf1vzNyd-Bn0CdIKvKHyG24I9lWqQFW6H-JUkQfR7-9VyRdyzcCDUrPNiLl0-9Qqx8nJDKCk6llwkd4hyphenhyphenvwZkWqACY7n-AkkBrYr3gKCvt9q7C9qSM1FttM1ddirpsA-mUKI\/s1700-e365\/lerobot.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjYAEm0hY3IRrDsmM7sah0UzJr8OJnL2P2SGieeeuN58sduY8KENYH5ckHduf1vzNyd-Bn0CdIKvKHyG24I9lWqQFW6H-JUkQfR7-9VyRdyzcCDUrPNiLl0-9Qqx8nJDKCk6llwkd4hyphenhyphenvwZkWqACY7n-AkkBrYr3gKCvt9q7C9qSM1FttM1ddirpsA-mUKI\/s1700-e365\/lerobot.png\" alt=\"\" border=\"0\" data-original-height=\"933\" data-original-width=\"1999\"\/><\/a><\/div>\n<p>The cybersecurity company said the vulnerability is \u00abdangerous\u00bb as the service is designed for artificial intelligence inference systems, which tend to run with elevated privileges to access internal networks, datasets, and expensive compute resources. Should the flaw be exploited by an attacker, it could enable a wide range of actions, including &#8211;<\/p>\n<ul>\n<li>Unauthenticated remote code execution<\/li>\n<li>Complete compromise of the PolicyServer host<\/li>\n<li>Impact connected robots<\/li>\n<li>Theft of sensitive data, such as API keys, SSH credentials, and model files<\/li>\n<li>Move laterally across the network<\/li>\n<li>Crash services, corrupt models, or sabotage operations, leading to physical safety risks<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjtLFfooMejdjPrKI2usnp2DBwWQ6FARNgNBkKtUgPHRuKasKWfmaqjLVNTfHkCTJip-mUQHcLKw-f2yNIqU4ud1XE6SiPqh_9mxWQiOsE8gF9tNsD3yaEvYanFOnpLoCuvKEJyVdqnbjvv6shxY9Ns-SqM4qyU6_hbv9eLftGxBHXXic92glXMqj8otZ-b\/s1700-e365\/attack.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjtLFfooMejdjPrKI2usnp2DBwWQ6FARNgNBkKtUgPHRuKasKWfmaqjLVNTfHkCTJip-mUQHcLKw-f2yNIqU4ud1XE6SiPqh_9mxWQiOsE8gF9tNsD3yaEvYanFOnpLoCuvKEJyVdqnbjvv6shxY9Ns-SqM4qyU6_hbv9eLftGxBHXXic92glXMqj8otZ-b\/s1700-e365\/attack.png\" alt=\"\" border=\"0\" data-original-height=\"1024\" data-original-width=\"1536\"\/><\/a><\/div>\n<p>VulnCheck security researcher Valentin Lobstein, who <a href=\"https:\/\/github.com\/huggingface\/lerobot\/issues\/3047\">discovered<\/a> and <a href=\"https:\/\/chocapikk.com\/posts\/2026\/lerobot-pickle-rce\/\">published additional details of the shortcoming<\/a> last week, said it has been successfully validated against LeRobot version 0.4.3. The issue currently remains unpatched, with a fix <a href=\"https:\/\/www.vulncheck.com\/advisories\/lerobot-unsafe-deserialization-remote-code-execution-via-grpc\">planned<\/a> in <a href=\"https:\/\/github.com\/huggingface\/lerobot\/issues\/3134\">version 0.6.0<\/a>.<\/p>\n<p>Interestingly, the same flaw was independently <a href=\"https:\/\/github.com\/huggingface\/lerobot\/issues\/2745\">reported<\/a> by another researcher who goes by the online alias \u00abchenpinji\u00bb sometime in December 2025. The LeRobot team responded earlier this January, acknowledging the security risk and noting \u00abthat part of the codebase needs to be almost entirely refactored as its original implementation was more experimental.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThat said, LeRobot has so far been primarily a research and prototyping tool, which is why deployment security hasn&#8217;t been a strong focus until now,\u00bb Steven Palma, tech lead of the project, said. \u00abAs LeRobot continues to be adopted and deployed in production, we\u2019ll start paying much closer attention to these kinds of issues. Fortunately, being an open-source project, the community can also help by reporting and fixing vulnerabilities.\u00bb<\/p>\n<p>The findings once again expose the dangers of using the pickle format, as it paves the way for arbitrary code execution attacks simply by loading a specially crafted file.<\/p>\n<p>\u00abThe irony here is hard to overstate,\u00bb Lobstein noted. \u00abHugging Face created Safetensors &#8212; a serialization format designed specifically because pickle is dangerous for ML data. And yet their own robotics framework deserializes attacker-controlled network input with pickle.loads(), with <a href=\"https:\/\/bandit.readthedocs.io\/en\/latest\/config.html#exclusions\"># nosec comments<\/a> to silence the tool that was trying to warn them.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 28, 2026Vulnerability \/ Network Security Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face&#8217;s open-source robotics platform with nearly 24,000 GitHub stars, that&hellip;<\/p>\n","protected":false},"author":1,"featured_media":738,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[58,1443,70,1442,1441,1444,681,316,725,721],"class_list":["post-737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-critical","tag-face","tag-flaw","tag-hugging","tag-leaves","tag-lerobot","tag-open","tag-rce","tag-unauthenticated","tag-unpatched"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=737"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/737\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/738"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}