Critical CVE-2026-25874 Leaves Hugging Face LeRobot Open to Unauthenticated RCE — Pickle Deserialization in PolicyServer (April 28, 2026)

Hugging Face's open-source robotics platform LeRobot — used in research and increasingly in production AI-on-robot deployments — contains a critical, unpatched flaw that lets a network-reachable attacker run arbitrary code on the host with no credentials. The Hacker News and Resecurity disclosed the issue on April 28, 2026. It is tracked as CVE-2026-25874 with a CVSS score of 9.3.

What Happened

VulnCheck security researcher Valentin Lobstein published proof-of-concept details for an unauthenticated remote code execution flaw in LeRobot's async inference pipeline. The bug is a textbook unsafe-deserialization issue: the policy server and robot client components hand attacker-controlled bytes to pickle.loads() over a gRPC channel that has neither TLS nor authentication, across the SendPolicyInstructions, SendObservations and GetActions RPC endpoints.

The GitHub advisory states it plainly: "An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls." Lobstein validated the exploit against LeRobot v0.4.3, the current PyPI release at time of disclosure.

This is not the first time the issue has been reported. A researcher using the alias "chenpinji" flagged the same flaw to the LeRobot team in December 2025. In January, LeRobot tech lead Steven Palma acknowledged the report on the project's tracker, writing that "that part of the codebase needs to be almost entirely refactored as its original implementation was more experimental," and that LeRobot has historically been "primarily a research and prototyping tool, which is why deployment security hasn't been a strong focus until now."

Key Details

• CVE ID: CVE-2026-25874 — published April 28, 2026.
• CVSS score: 9.3 (critical) per the GitHub advisory; some downstream feeds report 9.8.
• Affected component: lerobot.async_inference.PolicyServer and the matching robot client, both in the official PyPI package.
• Confirmed vulnerable version: LeRobot v0.4.3.
• Patch status: Currently unpatched. A fix is planned for LeRobot v0.6.0.
• Root cause: pickle.loads() on attacker-controlled bytes from unauthenticated, plaintext gRPC endpoints — including SendPolicyInstructions, SendObservations and GetActions.
• Discovered by: Valentin Lobstein, VulnCheck. Independently reported by "chenpinji" in December 2025.

What Developers and Users Are Saying

Reaction on Hacker News and Reddit's r/netsec has been pointed. The most upvoted comment on the disclosure thread quotes Lobstein directly: "The irony here is hard to overstate. Hugging Face created Safetensors — a serialization format designed specifically because pickle is dangerous for ML data. And yet their own robotics framework deserializes attacker-controlled network input with pickle.loads(), with # nosec comments to silence the tool that was trying to warn them."

Robotics engineers on r/MachineLearning are split. Some defend the original design — async inference was "a research toy that escaped the lab" — while others note that LeRobot is now showing up in production demos at hardware partners, and that the responsible-disclosure window has effectively been four months with no patch shipped. The most upvoted r/netsec comment flags the deeper supply-chain risk: any model artifact loaded by a vulnerable PolicyServer is also a code-execution vector.

What This Means for Developers

If you run LeRobot's async inference PolicyServer, treat it as compromised on any host where the gRPC port is reachable from an untrusted network. Resecurity recommends three immediate mitigations: (1) replace pickle with safetensors, JSON or native protobuf fields for all serialized payloads; (2) switch add_insecure_port() to add_secure_port() with TLS; and (3) enforce authentication via gRPC interceptors and token-based access for every incoming RPC. Until v0.6.0 ships, isolate the PolicyServer behind a VPN or service mesh that does mutual TLS, and audit any model files that may have been served from an attacker-controlled bucket.

Teams running LeRobot only as a local research notebook are largely unaffected — the bug requires network access to the PolicyServer's gRPC port. But anyone deploying LeRobot to a fleet of robots on a shared network should patch the configuration today rather than waiting for v0.6.0.

What's Next

The LeRobot team has committed to shipping a fix in version 0.6.0. The work involves rewriting the async-inference path to drop pickle entirely and to add TLS plus mutual authentication on the gRPC layer; there is no public ETA. In the meantime, the project's GitHub Security Advisories page is the canonical source of mitigation guidance, and CISA has not yet issued an alert as of April 29, 2026.

Sources

• The Hacker News — Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE — primary write-up with quotes from VulnCheck and the LeRobot team.
• Resecurity — CVE-2026-25874: Hugging Face LeRobot Unauthenticated RCE via Pickle Deserialization — technical breakdown and remediation guidance.
• Aviatrix Threat Research Center — Critical CVE-2026-25874 in Hugging Face's LeRobot — independent analysis and impact assessment.
• CyberPress — Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks — context on production deployments.
• GBHackers — Hugging Face LeRobot Flaw Opens Door to Remote Code Execution Attacks — additional reaction and mitigation summary.
• GitHub — huggingface/lerobot — the upstream open-source repository.