Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Critical RCE Flaw Disclosed in Hugging Face LeRobot Robotics Platform

Cybersecurity researchers have disclosed a critical unauthenticated remote code execution vulnerability in LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars. The flaw — tracked as CVE-2026-25874 with a CVSS score of 9.3 — can be exploited by an unauthenticated attacker to execute arbitrary code on systems running the affected software.

The vulnerability was disclosed on April 28, 2026 and, at the time of reporting, no patch was available from Hugging Face.

What Is LeRobot?

LeRobot is an open-source PyTorch-based framework developed and maintained by Hugging Face for real-world robotics applications. The project provides:

Pre-trained models for robot manipulation and locomotion tasks
Datasets for training robot learning policies
Simulation environments and integration with popular robotics simulators
Tools for collecting human demonstration data via teleoperation
Support for a wide range of robotic hardware platforms

LeRobot has become one of the most widely adopted AI robotics frameworks in academic research, robotics startups, and university labs, and is used by teams building real physical robots. Its nearly 24,000 GitHub stars reflect its position as a foundational project in the open-source robotics AI ecosystem.

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-25874
CVSS Score	9.3 (Critical)
Type	Unauthenticated Remote Code Execution
Privileges Required	None
User Interaction	None
Patch Status	Unpatched at time of disclosure
Affected Project	Hugging Face LeRobot
GitHub Stars	~24,000
Disclosed	April 28, 2026

The full technical details of the exploit mechanism have been disclosed by the researchers who discovered the flaw. A CVSS score of 9.3 places this firmly in the critical severity tier.

Why This Matters

The AI and Robotics Supply Chain

LeRobot sits at an unusual intersection of two high-risk domains: AI model supply chains and physical robotics infrastructure. A compromise affecting systems using LeRobot could have consequences beyond typical software breaches:

Research sabotage: Unauthorized code execution on training machines could corrupt model training runs or inject backdoored models
Physical safety risks: In environments where robot policies are trained and deployed, compromised training infrastructure could theoretically influence robot behavior
IP theft: Research institutions and robotics companies using LeRobot may store proprietary datasets, model architectures, and hardware schematics on the same systems
Pivoting to broader infrastructure: Cloud-based training environments (AWS, GCP, Azure clusters) used with LeRobot would be fully accessible after code execution

Hugging Face's Platform Position

Hugging Face hosts models, datasets, and code for millions of AI researchers and developers globally. Vulnerabilities in popular Hugging Face projects carry amplified impact because:

The affected software is frequently installed in automated pipelines and research clusters
Systems running LeRobot often have privileged access to GPU clusters and cloud storage
The open-source nature means the codebase is forked and embedded across thousands of derivative projects

Scope of Exposure

The vulnerability affects systems running LeRobot directly. The population of potentially exposed systems includes:

University robotics labs worldwide
Robotics startup training pipelines
Cloud-hosted AI training environments
Developer workstations with local LeRobot installations
Containerized research environments running LeRobot components

Because the flaw requires no authentication, any network-accessible LeRobot service is vulnerable to exploitation without any prior access or credential theft.

No Patch Available — What Researchers and Teams Should Do

At the time of disclosure, Hugging Face had not yet released a patch for CVE-2026-25874. Teams using LeRobot should take immediate interim steps:

1. Isolate LeRobot Services

Ensure any LeRobot service endpoints are not exposed to untrusted networks
Run LeRobot components behind a VPN or on isolated network segments
Disable any remotely accessible LeRobot interfaces not actively required

2. Monitor for Exploitation Indicators

Unexpected process spawning from LeRobot-related processes
Unusual outbound network connections from training servers
Unauthorized file access or modifications in model/dataset directories
Unexpected authentication events on cloud infrastructure

3. Track the Hugging Face Security Advisory

Watch the Hugging Face LeRobot GitHub repository for a patch release
Subscribe to Hugging Face security announcements
Monitor the NVD entry for CVE-2026-25874 for updated remediation information

4. Audit System Access

If LeRobot has been running with any network exposure, audit:

SSH access logs on training hosts
Cloud provider access logs (CloudTrail, GCP Audit Logs)
Any new files, scheduled tasks, or modifications in the LeRobot environment

Broader Context: AI Tooling Under Increasing Security Scrutiny

CVE-2026-25874 is the latest in a series of high-severity vulnerabilities discovered in AI frameworks and tooling in 2026. The pattern reflects the security community's growing focus on:

AI supply chain security: Vulnerabilities in model training and distribution infrastructure can compromise downstream AI systems at scale
AI research infrastructure: Academic and startup environments often prioritize capability over security hardening
Open-source AI project security posture: Many foundational AI projects lack dedicated security teams or coordinated disclosure processes

Prior notable AI tooling vulnerabilities in 2026 include issues in LangFlow, Amazon Bedrock integrations, SGLang, and the Anthropic MCP framework — demonstrating that the AI infrastructure attack surface is rapidly expanding.

Timeline

Date	Event
Before April 28, 2026	Vulnerability discovered by security researchers
April 28, 2026	CVE-2026-25874 publicly disclosed
April 28, 2026	No patch available from Hugging Face at time of disclosure
TBD	Patch expected from Hugging Face LeRobot team

Key Takeaways

CVE-2026-25874 is a critical (CVSS 9.3) unauthenticated RCE in Hugging Face LeRobot
The flaw affects a project with ~24,000 GitHub stars and wide adoption across robotics research
No patch is available — organizations should isolate LeRobot services immediately
The vulnerability reflects broader security risks across the AI tooling and robotics supply chain
Teams should monitor Hugging Face's GitHub and security channels for patch availability

Sources

Critical RCE Flaw Disclosed in Hugging Face LeRobot Robotics Platform

The vulnerability was disclosed on April 28, 2026 and, at the time of reporting, no patch was available from Hugging Face.

What Is LeRobot?

LeRobot is an open-source PyTorch-based framework developed and maintained by Hugging Face for real-world robotics applications. The project provides:

Pre-trained models for robot manipulation and locomotion tasks
Datasets for training robot learning policies
Simulation environments and integration with popular robotics simulators
Tools for collecting human demonstration data via teleoperation
Support for a wide range of robotic hardware platforms

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-25874
CVSS Score	9.3 (Critical)
Type	Unauthenticated Remote Code Execution
Privileges Required	None
User Interaction	None
Patch Status	Unpatched at time of disclosure
Affected Project	Hugging Face LeRobot
GitHub Stars	~24,000
Disclosed	April 28, 2026

The full technical details of the exploit mechanism have been disclosed by the researchers who discovered the flaw. A CVSS score of 9.3 places this firmly in the critical severity tier.

Why This Matters

The AI and Robotics Supply Chain

Research sabotage: Unauthorized code execution on training machines could corrupt model training runs or inject backdoored models
Physical safety risks: In environments where robot policies are trained and deployed, compromised training infrastructure could theoretically influence robot behavior
IP theft: Research institutions and robotics companies using LeRobot may store proprietary datasets, model architectures, and hardware schematics on the same systems
Pivoting to broader infrastructure: Cloud-based training environments (AWS, GCP, Azure clusters) used with LeRobot would be fully accessible after code execution

Hugging Face's Platform Position

Hugging Face hosts models, datasets, and code for millions of AI researchers and developers globally. Vulnerabilities in popular Hugging Face projects carry amplified impact because:

The affected software is frequently installed in automated pipelines and research clusters
Systems running LeRobot often have privileged access to GPU clusters and cloud storage
The open-source nature means the codebase is forked and embedded across thousands of derivative projects

Scope of Exposure

The vulnerability affects systems running LeRobot directly. The population of potentially exposed systems includes:

University robotics labs worldwide
Robotics startup training pipelines
Cloud-hosted AI training environments
Developer workstations with local LeRobot installations
Containerized research environments running LeRobot components

Because the flaw requires no authentication, any network-accessible LeRobot service is vulnerable to exploitation without any prior access or credential theft.

No Patch Available — What Researchers and Teams Should Do

At the time of disclosure, Hugging Face had not yet released a patch for CVE-2026-25874. Teams using LeRobot should take immediate interim steps:

1. Isolate LeRobot Services

Ensure any LeRobot service endpoints are not exposed to untrusted networks
Run LeRobot components behind a VPN or on isolated network segments
Disable any remotely accessible LeRobot interfaces not actively required

2. Monitor for Exploitation Indicators

Unexpected process spawning from LeRobot-related processes
Unusual outbound network connections from training servers
Unauthorized file access or modifications in model/dataset directories
Unexpected authentication events on cloud infrastructure

3. Track the Hugging Face Security Advisory

Watch the Hugging Face LeRobot GitHub repository for a patch release
Subscribe to Hugging Face security announcements
Monitor the NVD entry for CVE-2026-25874 for updated remediation information

4. Audit System Access

If LeRobot has been running with any network exposure, audit:

SSH access logs on training hosts
Cloud provider access logs (CloudTrail, GCP Audit Logs)
Any new files, scheduled tasks, or modifications in the LeRobot environment

Broader Context: AI Tooling Under Increasing Security Scrutiny

CVE-2026-25874 is the latest in a series of high-severity vulnerabilities discovered in AI frameworks and tooling in 2026. The pattern reflects the security community's growing focus on:

AI supply chain security: Vulnerabilities in model training and distribution infrastructure can compromise downstream AI systems at scale
AI research infrastructure: Academic and startup environments often prioritize capability over security hardening
Open-source AI project security posture: Many foundational AI projects lack dedicated security teams or coordinated disclosure processes

Timeline

Date	Event
Before April 28, 2026	Vulnerability discovered by security researchers
April 28, 2026	CVE-2026-25874 publicly disclosed
April 28, 2026	No patch available from Hugging Face at time of disclosure
TBD	Patch expected from Hugging Face LeRobot team

Key Takeaways

CVE-2026-25874 is a critical (CVSS 9.3) unauthenticated RCE in Hugging Face LeRobot
The flaw affects a project with ~24,000 GitHub stars and wide adoption across robotics research
No patch is available — organizations should isolate LeRobot services immediately
The vulnerability reflects broader security risks across the AI tooling and robotics supply chain
Teams should monitor Hugging Face's GitHub and security channels for patch availability

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Critical RCE Flaw Disclosed in Hugging Face LeRobot Robotics Platform

What Is LeRobot?

Vulnerability Details

Why This Matters

The AI and Robotics Supply Chain

Hugging Face's Platform Position

Scope of Exposure

No Patch Available — What Researchers and Teams Should Do

1. Isolate LeRobot Services

2. Monitor for Exploitation Indicators

3. Track the Hugging Face Security Advisory

4. Audit System Access

Broader Context: AI Tooling Under Increasing Security Scrutiny

Timeline

Key Takeaways

Sources

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

Critical Unpatched GNU Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE

Firefox Vulnerability Allows Tor User Fingerprinting Across 'New Identity' Resets

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Critical RCE Flaw Disclosed in Hugging Face LeRobot Robotics Platform

What Is LeRobot?

Vulnerability Details

Why This Matters

The AI and Robotics Supply Chain

Hugging Face's Platform Position

Scope of Exposure

No Patch Available — What Researchers and Teams Should Do

1. Isolate LeRobot Services

2. Monitor for Exploitation Indicators

3. Track the Hugging Face Security Advisory

4. Audit System Access

Broader Context: AI Tooling Under Increasing Security Scrutiny

Timeline

Key Takeaways

Sources

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

Critical Unpatched GNU Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE

Firefox Vulnerability Allows Tor User Fingerprinting Across 'New Identity' Resets