CVE-2026-25874: Unpatched Critical RCE Found in Hugging Face LeRobot

A critical CVSS 9.3 flaw hits Hugging Face's LeRobot. Learn about the RCE risks and the month-long patch delay following initial disclosure.

CVE-2026-25874: Unpatched Critical RCE Found in Hugging Face LeRobot
CVE-2026-25874: Unpatched Critical RCE in Hugging Face LeRobot

Security researchers have disclosed details of a severe, still unresolved security vulnerability affecting LeRobot, Hugging Face's popular open-source robotics platform. The flaw, identified as CVE-2026-25874, has a CVSS score of 9.3 and allows unauthenticated remote code execution (RCE), putting AI systems and sensitive data at risk.

Technical mechanism of the CVE-2026-25874 vulnerability

The critical defect lies in LeRobot's async inference pipeline. According to the security advisory published on GitHub, "LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline, where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components."

This implementation allows an attacker to exploit the gRPC calls SendPolicyInstructions, SendObservations, or GetActions. Through these channels, which lack TLS or authentication, it is possible to send malicious payloads that are unsafely deserialized, leading to the execution of arbitrary commands on both the server and the robotic client. The vulnerability was successfully validated on LeRobot version 0.4.3.

The timeline discrepancy between reporting and patching

One of the most significant aspects of this disclosure is the time elapsed between the initial discovery and the public availability of details, in the absence of a definitive fix. Although the news was disseminated on April 28, 2026, the issue had been independently reported by user 'chenpinji' as early as December 2025.

The LeRobot development team responded to the report in January 2026, acknowledging the severity of the technical situation. At that time, the team explained that "that part of the codebase needs to be almost entirely refactored as its original implementation was more experimental."

At the time of publication of the technical details on April 28, 2026, no patch is yet available. Developers have indicated that the fix is planned for version 0.6.0 of the software, leaving systems operating on the vulnerable version exposed in the meantime.

Risks to data and physical safety

Exploiting this flaw has implications that go beyond simple software compromise. Since AI inference systems often operate with elevated privileges to manage complex hardware, an attacker could exploit RCE to steal sensitive data, including API keys and SSH credentials stored on the system.

Furthermore, as a platform for controlling physical robots, the vulnerability introduces real risks to physical safety. Malicious code executed on the robot client components or the PolicyServer could translate into unpredictable machine behavior, with potential property damage or danger to the safety of people nearby.

Project context and potential impact

LeRobot, which has amassed nearly 24,000 stars on GitHub, is a central tool for the PyTorch-based robotics developer community. The platform's popularity amplifies the potential impact of CVE-2026-25874, considering that many developers may still be using version 0.4.3 in their development pipelines or experimental production environments.

The "experimental" nature of the original code, cited as the cause for the need for refactoring, highlights a recurring problem in open-source AI software: components created for rapid prototyping often enter production without the necessary security hardening, especially regarding data deserialization and communication channel authentication.

Frequently Asked Questions

What is the severity of vulnerability CVE-2026-25874?
The vulnerability has a CVSS score of 9.3, classifying it as critical. It allows unauthenticated remote code execution via malicious data deserialization over unprotected gRPC channels.
Is a patch available for LeRobot?
As of the publication of the details (April 28, 2026), an official patch is not yet available. The development team has planned the fix for the future 0.6.0 version.
Which components are vulnerable?
The vulnerable components are the PolicyServer and the robot clients that use the async inference pipeline, where data is deserialized via pickle.loads() without security checks on gRPC channels.

This article is a summary based exclusively on the sources listed.

Sources

  • https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
  • https://news.fyself.com/unpatched-critical-flaw-exposes-hugface-lerobot-to-uncertified-rce/
  • https://www.thehackerwire.com/instructlab-rce-via-malicious-huggingface-models-cve-2026-6859/
  • https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/
  • https://huggingface.co/docs/lerobot/index