FeedVulnerabilityHugging Face LeRobot Vulnerability Enables Unauthenticated R...
VulnerabilityCyber Security News
9.8CRITICAL

Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks

📅 29 April 2026 at 11:33 UTC📰 Cyber Security NewsView original source ↗
Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks

A critical, currently unpatched remote code execution (RCE) vulnerability has been disclosed in LeRobot, Hugging Face’s popular open-source machine learning framework for real-world robotics. Tracked as CVE-2026-25874 with a critical CVSS score of 9.3, the flaw allows unauthenticated attackers to execute arbitrary system commands on vulnerable host machines. With nearly 24,000 stars on GitHub, this […] The post Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks appeared first on Cyber Security News.

🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview

A critical, unpatched remote code execution (RCE) vulnerability exists in LeRobot, a popular open-source machine learning framework for real-world robotics, allowing unauthenticated attackers to execute arbitrary system commands on vulnerable host machines.

⚙️Technical Details
Affected Systems
Huggingface Lerobot
💥Impact Assessment
Severity: critical
🛡️Recommended Actions
1Apply the patch from GitHub pull request 3048 to LeRobot
2Disable unauthenticated gRPC channels on vulnerable host machines
3Monitor for suspicious network activity related to LeRobot
📦Affected Products
Huggingface Lerobot
🔐NVD Verified DataVERIFIED
CVE-2026-25874CVSS 9.8CRITICAL
Attack Vector
NETWORK
Complexity
LOW
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
CWE-502
Affected Products (CPE)
Huggingface Lerobot

Read the full article

This is a curated summary. The complete article is available at Cyber Security News.

Read on Cyber Security News
← Back to feed