CVE-2026-6859

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H                                    

Vulnerability Description

A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

April 22, 2026

CWE ID

CWE-829

Source

NVD

External References

https://access.redhat.com/security/cve/CVE-2026-6859
https://bugzilla.redhat.com/show_bug.cgi?id=2459998

CVE-2026-6859

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment