HOMEVULNERABILITIESCVE-2026-1839
MEDIUM

CVE-2026-1839

CWE-502Published: April 7, 2026· Updated: Apr 7, 2026

6.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

NVD Source

Technical Analysis

CVE-2026-1839 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 6.5.

From a weakness classification perspective (CWE-502): Insecure deserialization vulnerabilities allow attackers to inject malicious objects during deserialization, potentially enabling remote code execution.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityLow
AvailabilityHigh
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-1839
CVSS Score6.5 / 10
SeverityMEDIUM
WeaknessCWE-502
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 7, 2026

Related CVEs (CWE-502)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-1839 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.