CVE-2026-58116
hiyouga · LlamaFactory
LlamaFactory allows unauthenticated attackers with WebUI access to execute arbitrary Python code by providing a malicious model path.
Executive summary
A critical remote code execution vulnerability in hiyouga LlamaFactory allows attackers to execute arbitrary code with server-level privileges via the WebUI.
Vulnerability
The application is vulnerable to remote code execution because it accepts user-supplied model paths without validation and processes them with the trust_remote_code=True parameter. This forces the underlying Hugging Face transformers library to execute arbitrary code from a provided repository, essentially granting an attacker full control over the server process.
Business impact
With a CVSS score of 9.8, this vulnerability represents a near-total compromise of the hosting environment. Successful exploitation allows an attacker to execute commands with the privileges of the application, leading to full system takeover, data theft, or the deployment of persistent backdoors within the organization's machine learning infrastructure.
Remediation
Immediate Action: Update hiyouga LlamaFactory to the latest available version which addresses the unsafe model path handling.
Proactive Monitoring: Monitor server process activity for unexpected child processes spawned by the LlamaFactory application and review outbound network connections to untrusted repositories.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules to block suspicious model path inputs and restrict access to the WebUI to trusted internal networks via a VPN.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly critical and trivial to exploit for anyone with access to the WebUI. Organizations running LlamaFactory must restrict access to the interface immediately while planning for an emergency update to the patched version.