Close Menu
    What's Hot

    Trump Flip-Flops on Strait of Hormuz, Creating New Risks for Global Economy

    Iran’s Former Leader Denies Times Report

    Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe

    Facebook X (Twitter) Instagram
    Trending
    • Trump Flip-Flops on Strait of Hormuz, Creating New Risks for Global Economy
    • Iran’s Former Leader Denies Times Report
    • Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe
    • House Votes for Permanent Daylight Saving Time
    • Iran’s Cyberattackers Tracked Phones of U.S. Military Personnel in the Mideast, Data Suggests
    • At War With Iran Again, Trump Finds an Opponent He Cannot Easily Dominate
    • Former Child Care Worker in Sydney Facing Over 300 Abuse Charges Is Identified
    • Top Tax Official to Leave Trump Administration
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

    adminBy adminApril 28, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 28, 2026Vulnerability / Network Security

    Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

    Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face’s open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution.

    The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the unsafe pickle format.

    “LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline, where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components,” according to a GitHub advisory for the flaw.

    “An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.”

    Cybersecurity

    According to Resecurity, the problem is rooted in the async inference PolicyServer component, allowing an unauthenticated attacker who can reach the PolicyServer network port to send a malicious serialized payload and run arbitrary operating system commands on the host machine running the service.

    The cybersecurity company said the vulnerability is “dangerous” as the service is designed for artificial intelligence inference systems, which tend to run with elevated privileges to access internal networks, datasets, and expensive compute resources. Should the flaw be exploited by an attacker, it could enable a wide range of actions, including –

    • Unauthenticated remote code execution
    • Complete compromise of the PolicyServer host
    • Impact connected robots
    • Theft of sensitive data, such as API keys, SSH credentials, and model files
    • Move laterally across the network
    • Crash services, corrupt models, or sabotage operations, leading to physical safety risks

    VulnCheck security researcher Valentin Lobstein, who discovered and published additional details of the shortcoming last week, said it has been successfully validated against LeRobot version 0.4.3. The issue currently remains unpatched, with a fix planned in version 0.6.0.

    Interestingly, the same flaw was independently reported by another researcher who goes by the online alias “chenpinji” sometime in December 2025. The LeRobot team responded earlier this January, acknowledging the security risk and noting “that part of the codebase needs to be almost entirely refactored as its original implementation was more experimental.”

    Cybersecurity

    “That said, LeRobot has so far been primarily a research and prototyping tool, which is why deployment security hasn’t been a strong focus until now,” Steven Palma, tech lead of the project, said. “As LeRobot continues to be adopted and deployed in production, we’ll start paying much closer attention to these kinds of issues. Fortunately, being an open-source project, the community can also help by reporting and fixing vulnerabilities.”

    The findings once again expose the dangers of using the pickle format, as it paves the way for arbitrary code execution attacks simply by loading a specially crafted file.

    “The irony here is hard to overstate,” Lobstein noted. “Hugging Face created Safetensors — a serialization format designed specifically because pickle is dangerous for ML data. And yet their own robotics framework deserializes attacker-controlled network input with pickle.loads(), with # nosec comments to silence the tool that was trying to warn them.”

    critical face flaw Hugging leaves LeRobot Open RCE Unauthenticated Unpatched
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleSome cities are getting their first Whataburger ever—here’s where the chain is expanding next
    Next Article Australia forces Big Tech firms to pay for news or face a 2.25% tax
    admin
    • Website

    Related Posts

    Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

    July 15, 2026

    Lindsey Graham’s Death Leaves Fate of Russia Sanctions Bill Uncertain

    July 15, 2026

    Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Trump Flip-Flops on Strait of Hormuz, Creating New Risks for Global Economy

    Iran’s Former Leader Denies Times Report

    Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe

    House Votes for Permanent Daylight Saving Time

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by