LeRobot async-inference gRPC pickle RCE (CVE-2026-25874)
Disclosed vulnerability23 Apr 2026CVE-2026-25874 (GHSA-f7vj-73pm-m822) is a critical unsafe-deserialization vulnerability disclosed in Hugging Face's LeRobot, an open-source framework for embodied/robotics AI policy models. According to the GitHub Security Advisory and the original researcher writeup by Valentin Lobstein ('Chocapikk'), LeRobot's async-inference module โ which offloads policy inference to a GPU-backed server โ implements a gRPC PolicyServer and RobotClient that call Python's pickle.loads() on data received over the wire. The server reportedly binds with add_insecure_port(), i.e. no TLS and no authentication, so any attacker able to reach the PolicyServer port can send a crafted pickle payload through the gRPC handlers (reported as SendPolicyInstructions, SendObservations, and GetActions) and execute arbitrary OS commands on the inference host before any type validation occurs. Because LeRobot inference nodes typically run with GPU access, elevated privileges, and a path to robotics hardware, internal networks, datasets, and API keys/model files, reporting frames the impact as both a software-security and a physical-safety concern. The advisory carries a CVSS 9.3 (CVSS 4.0) score; several outlets cite 9.8 (CVSS 3.1). The researcher reports independent discovery and PoC on 11 Feb 2026, public disclosure on 22 Apr 2026, and CVE assignment / GitHub advisory publication on 23 Apr 2026, with the affected version line through 0.5.1 (the researcher tested 0.4.3 on PyPI) and a fix planned for 0.6.0; the issue was reported as unpatched at disclosure. The advisory references GitHub issues huggingface/lerobot#3047 and #3134 and PR #3048. The recommended mitigations are to replace pickle with safe serialization (JSON, protobuf fields, or safetensors), switch to add_secure_port() with TLS, and enforce gRPC authentication. (Figures, versions, and timeline are as reported in public sources; any payload details would be illustrative, not operational.)
Risks it illustrates
Sources
- GitHub Advisory Database: CVE-2026-25874 โ LeRobot unsafe deserialization (GHSA-f7vj-73pm-m822) โ
- NVD: CVE-2026-25874 โ
- Valentin Lobstein (Chocapikk): HuggingFace LeRobot Unauthenticated RCE via Pickle Deserialization in gRPC PolicyServer โ
- The Hacker News: Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE โ
- Aviatrix Threat Research Center: Critical CVE-2026-25874 Leaves Hugging Face's LeRobot Open to Unauthenticated RCE โ
Practise the risk class โ related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
A text-to-SQL agent runs the model's output straight at the database
Compromise the pipeline that builds agents, and every new worker is born malicious
A fake Sentry error report hijacks a developer's coding agent into running a shell command
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A capable third-party model that behaves perfectly โ until it sees the trigger
A trusted MCP email tool quietly BCCs every message to an attacker