CVE-2026-6859
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A flaw was found in InstructLab. The linux_train.py script hardcodes trust_remote_code=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Workarounds
To mitigate this issue, only use models from trusted sources when performing instructlab operations. Review the origin and integrity of any HuggingFace model before using it with ilab train/download/generate. Consider running instructlab commands within a sandboxed or isolated environment to limit the potential impact of executing untrusted code.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
instructlab: InstructLab: Arbitrary code execution due to hardcoded trust_remote_code=True
Additional References
- https://access.redhat.com/security/cve/CVE-2026-6859
- https://bugzilla.redhat.com/show_bug.cgi?id=2459998
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6859.json
References
- https://access.redhat.com/security/cve/CVE-2026-6859
- https://bugzilla.redhat.com/show_bug.cgi?id=2459998
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.