Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Summary

A critical unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2026-25874, has been discovered in Hugging Face's LeRobot robotics platform. The flaw allows an attacker to execute arbitrary commands on the host machine by exploiting unsafe data deserialization within the async inference pipeline.

Key Points

• CVE ID: CVE-2026-25874
• CVSS Score: 9.3 (Critical)
• Affected Versions: Confirmed in version 0.4.3; a patch is planned for version 0.6.0.
• Vulnerability Type: Unsafe deserialization via the pickle format.
• Attack Vector: Unauthenticated network-reachable attackers can exploit the flaw via gRPC calls.
• Affected Components: PolicyServer (async inference pipeline) and robot client components.

Technical Details

The vulnerability is rooted in the PolicyServer component, specifically within the async inference pipeline. The system utilizes pickle.loads() to deserialize data received over gRPC channels that lack TLS encryption and authentication. An attacker with network access to the PolicyServer port can transmit a specially crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC methods.

Because the pickle module is inherently unsafe for handling untrusted data, the deserialization process can be manipulated to execute arbitrary operating system commands on the host machine. The risk is compounded by the fact that AI inference services often run with elevated privileges to access sensitive datasets, internal networks, and high-performance compute resources.

Impact / Why It Matters

Exploitation can lead to complete host compromise, theft of sensitive credentials (such as API keys and SSH keys), and potential physical safety risks to connected robotic hardware. Developers should restrict network access to the PolicyServer port and implement strict firewall rules until the version 0.6.0 patch is deployed.