<Vulnerability name="CVE-2026-45804">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-15T16:05:35</PublicDate>
    <Bugzilla id="2501024" url="https://bugzilla.redhat.com/show_bug.cgi?id=2501024" xml:lang="en:us">
diffusers: Diffusers: Arbitrary code execution due to trust_remote_code guard bypass
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-94</CWE>
    <Details xml:lang="en:us" source="Mitre">
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, Diffusers' DiffusionPipeline.from_pretrained flow can bypass the trust_remote_code guard because download() validates model_index.json and custom pipeline code before later loading from a cached folder that can change, allowing a Hub repository with custom .py pipeline code to execute through the custom pipeline flow without passing custom_pipeline or trust_remote_code=True. This issue is fixed in version 0.38.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Diffusers, a library for pretrained diffusion models. A remote attacker could exploit this vulnerability by crafting a malicious Hub repository with custom Python pipeline code. The `DiffusionPipeline.from_pretrained` flow can bypass the `trust_remote_code` security mechanism, allowing the execution of arbitrary code on the system when a user interacts with the malicious repository. This could lead to high impact on confidentiality, integrity, and availability of the affected system.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in Diffusers, as used in Red Hat AI Inference Server, Red Hat OpenShift AI, and Red Hat Enterprise Linux AI, allows for arbitrary code execution. A remote attacker could exploit this by convincing a user to load a specially crafted model from a malicious Hub repository, bypassing the `trust_remote_code` safeguard. This could lead to a complete compromise of the system where the model is loaded.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhaiis/vllm-cpu-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhaiis/vllm-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhaiis/vllm-rocm-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhaiis/vllm-tpu-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhaii/vllm-cpu-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhaii/vllm-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhelai3/bootc-aws-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhelai3/bootc-azure-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhelai3/bootc-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhelai3/bootc-gcp-cuda-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-openvino-model-server-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch210-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhoai/odh-th06-cuda130-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-th06-rocm64-torch291-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-training-cuda128-torch29-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-training-rocm64-torch29-py312-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-45804
https://nvd.nist.gov/vuln/detail/CVE-2026-45804
https://github.com/huggingface/diffusers/commit/a37f6f8394ac2a7ee8360c3abea811efe54512b1
https://github.com/huggingface/diffusers/issues/13446
https://github.com/huggingface/diffusers/pull/13448
https://github.com/huggingface/diffusers/releases/tag/v0.38.0
https://github.com/huggingface/diffusers/security/advisories/GHSA-7wx4-6vff-v64p
    </References>
</Vulnerability>