๐Ÿ”AI RiskAtlas
โ† Real-world cases

LeRobot async-inference gRPC pickle RCE (CVE-2026-25874)

Disclosed vulnerability23 Apr 2026

CVE-2026-25874 (GHSA-f7vj-73pm-m822) is a critical unsafe-deserialization vulnerability disclosed in Hugging Face's LeRobot, an open-source framework for embodied/robotics AI policy models. According to the GitHub Security Advisory and the original researcher writeup by Valentin Lobstein ('Chocapikk'), LeRobot's async-inference module โ€” which offloads policy inference to a GPU-backed server โ€” implements a gRPC PolicyServer and RobotClient that call Python's pickle.loads() on data received over the wire. The server reportedly binds with add_insecure_port(), i.e. no TLS and no authentication, so any attacker able to reach the PolicyServer port can send a crafted pickle payload through the gRPC handlers (reported as SendPolicyInstructions, SendObservations, and GetActions) and execute arbitrary OS commands on the inference host before any type validation occurs. Because LeRobot inference nodes typically run with GPU access, elevated privileges, and a path to robotics hardware, internal networks, datasets, and API keys/model files, reporting frames the impact as both a software-security and a physical-safety concern. The advisory carries a CVSS 9.3 (CVSS 4.0) score; several outlets cite 9.8 (CVSS 3.1). The researcher reports independent discovery and PoC on 11 Feb 2026, public disclosure on 22 Apr 2026, and CVE assignment / GitHub advisory publication on 23 Apr 2026, with the affected version line through 0.5.1 (the researcher tested 0.4.3 on PyPI) and a fix planned for 0.6.0; the issue was reported as unpatched at disclosure. The advisory references GitHub issues huggingface/lerobot#3047 and #3134 and PR #3048. The recommended mitigations are to replace pickle with safe serialization (JSON, protobuf fields, or safetensors), switch to add_secure_port() with TLS, and enforce gRPC authentication. (Figures, versions, and timeline are as reported in public sources; any payload details would be illustrative, not operational.)

More cases on Supply-Chain Compromise

PoisonGPT (Mithril Security)postmark-mcp backdoorMalicious models on Hugging Face (pickle deserialization RCE)A small number of samples can poison LLMs of any size (~250-document backdoor)Model Namespace Reuse (Hugging Face name-trust hijack)Slopsquatting โ€” package hallucinations by code-generating LLMsMCP registry / marketplace poisoning (OX Security)ClawHavoc โ€” mass poisoning of OpenClaw's ClawHub agent-skill marketplaceMalice in Agentland โ€” backdooring agents through the supply chain (Boisvert et al.)Heretic โ€” automated LLM abliteration toolSalesloft Drift OAuth supply-chain breach (UNC6395) โ€” mass Salesforce data theft via an AI chat integrationAmazon Q Developer 'wiper' prompt shipped via poisoned pull request (CVE-2025-8217)NVIDIA Triton Inference Server unauthenticated RCE chain (CVE-2025-23319 / -23320 / -23334)SesameOp: backdoor abuses the OpenAI Assistants API as covert command-and-controlGoogle Big Sleep AI agent surfaces an imminently-exploited SQLite flaw (CVE-2025-6965)MCPTox: tool-poisoning benchmark over real-world MCP serversOperation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)TeamPCP poisons the LiteLLM AI gateway on PyPI to harvest LLM API keysCVE-2026-21445 โ€” Langflow missing authentication on critical API endpoints, exploited in the wildMalicious JetBrains Marketplace plugins steal AI API keyscodexui-android โ€” malicious npm package steals OpenAI Codex auth tokensFlowise AI agent builder CustomMCP RCE (CVE-2025-59528)PyTorch Lightning PyPI compromise (Mini Shai-Hulud / TeamPCP)Project Glasswing โ€” Claude 'Mythos' autonomously finds 10,000+ software vulnerabilities

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning โ€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading โ†’ยทBuilt by Shi Yuan โ†—