A critical unpatched vulnerability, identified as CVE-2026-25874, has been discovered in Hugging Face's LeRobot platform, allowing for unauthenticated remote code execution1. This flaw, which has a CVSS score of 9.3, is attributed to the deserialization of untrusted data. With nearly 24,000 GitHub stars, LeRobot is a widely-used open-source robotics platform, making this vulnerability a significant concern. The exploitation status of CVE-2026-25874 is currently being discussed with Hugging Face, determining whether immediate patching or continued monitoring is necessary. As a result, users of the LeRobot platform are advised to exercise caution and prepare for potential updates. The presence of this vulnerability highlights the importance of secure coding practices, particularly when working with deserialization of user-supplied data. This matters to practitioners as it underscores the need for prompt patching and vigilance in protecting against remote code execution attacks.
Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
⚠️ Critical Alert
Why This Matters
CVE-2026-25874 is in active discussion involving Hugging Face — exploitation status determines whether this is patch-now or monitor.
References
- The Hacker News. (2026, April 28). Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE. *The Hacker News*. https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
Original Source
The Hacker News
Read original →