Back

Critical RCE Vulnerability in Hugging Face LeRobot Exposes Systems to Attack

Severity: High (Score: 76.5)

Sources: Thehackernews, Gbhackers

Summary

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-25874, has been identified in Hugging Face's LeRobot, an open-source robotics machine learning framework. This flaw, which has a CVSS severity score of 9.8, allows unauthenticated attackers to execute arbitrary commands on affected servers. With over 21,500 stars on GitHub, LeRobot's widespread use increases the risk of exploitation. The vulnerability was published on April 23, 2026, and remains unpatched as of April 28, 2026. Organizations using LeRobot are at significant risk of compromise if they do not take immediate action to secure their systems. Security professionals are urged to assess their environments for this vulnerability and implement mitigation strategies. The potential for mass exploitation is high given the framework's popularity in the machine learning community. Key Points: • CVE-2026-25874 is a critical RCE vulnerability in Hugging Face's LeRobot framework. • The flaw allows unauthenticated attackers to execute arbitrary commands on servers. • LeRobot has over 21,500 stars on GitHub, indicating widespread use and risk.

Key Entities

  • Zero-day Exploit (attack_type)
  • Hugging Face (tool)
  • CVE-2026-25874 (cve)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed