Critical RCE Flaw in Hugging Face LeRobot: CVE-2026-25874 Leaves 21,000+ Users Exposed

Introduction

On April 28, 2026, security researchers publicly disclosed a critical vulnerability in Hugging Face's LeRobot, one of the most popular open-source robotics AI platforms on GitHub with more than 21,500 stars. Tracked as CVE-2026-25874 with a CVSS score of 9.8, the flaw enables any attacker with network access to execute arbitrary system commands on a vulnerable deployment — without authentication. As of the disclosure date, the vulnerability remains unpatched, placing every organization running LeRobot in a production or research environment at immediate risk.

The discovery highlights a recurring and underappreciated problem in the AI infrastructure ecosystem: the use of Python's unsafe pickle serialization format in network-facing services designed to run at the intersection of AI software and physical hardware.

Feature Overview

The Vulnerable Component: PolicyServer

LeRobot's architecture offloads computationally intensive policy inference to a dedicated GPU-backed server component called the PolicyServer. This server communicates with robot control loops and training clients over gRPC, receiving sensor observations and returning action predictions in real time.

The vulnerability lives in how the PolicyServer deserializes incoming gRPC messages. Across multiple RPC endpoints, the server calls Python's pickle.loads() directly on data received from the network. Pickle deserialization is inherently unsafe: a crafted pickle payload can instruct the Python runtime to execute arbitrary code during deserialization, before any application-level validation occurs.

No Transport Security, No Authentication

The vulnerability is compounded by two configuration choices in the default LeRobot deployment. First, the gRPC server is bound using add_insecure_port(), meaning all traffic flows without TLS encryption. Second, no authentication layer sits in front of the RPC endpoints — no token validation, no client certificate requirement, no IP allow-listing.

The result is a direct path from the network to pickle.loads() with no defensive layer between an attacker and arbitrary code execution on the host machine.

Scope and Impact

With over 21,500 GitHub stars, LeRobot is among the most widely deployed open-source robotics AI frameworks. It is used in academic research labs, startup robotics teams, and increasingly in production industrial environments where the PolicyServer may be exposed on internal networks shared with other systems.

An attacker exploiting CVE-2026-25874 gains the ability to run any command with the privileges of the LeRobot process — which, in GPU-backed inference environments, often runs with elevated system permissions. Potential consequences include data exfiltration, ransomware deployment, lateral movement through connected internal networks, and in physical robotics deployments, the ability to send malicious action commands to robot actuators.

Usability Analysis

From an operational security standpoint, the vulnerability is straightforward to exploit: any attacker who can reach the gRPC port over the network can send a malicious payload and receive a shell. The absence of TLS and authentication means there is no layer to bypass — the attack surface is simply the open port.

For teams using LeRobot in cloud or shared-infrastructure environments, the risk is particularly acute. The PolicyServer is designed to be accessed remotely by robot control clients, meaning it is often listening on a routable address rather than localhost. Organizations that have not placed the service behind a firewall or network policy are directly exposed.

For teams running LeRobot on isolated lab networks with strict physical access controls, the immediate risk is lower but not eliminated — insider threats and compromised internal machines represent a realistic attack vector.

Pros and Cons

Pros (of the disclosure):

• Public disclosure creates pressure for a rapid fix and gives the community clear technical details to act on
• The CVE assignment and CVSS 9.8 score ensure the issue is treated with the urgency it warrants
• Researchers provided concrete mitigation guidance that affected teams can implement immediately without waiting for an official patch
• The disclosure follows responsible reporting norms and includes proof-of-concept detail sufficient for defenders to validate their exposure

Cons (of the situation):

• The vulnerability remains unpatched as of April 28, 2026, leaving all current LeRobot deployments vulnerable
• Unsafe pickle deserialization is a well-known class of vulnerability; its presence in a network-facing service in a 2026 production codebase reflects a gap in security review processes
• The default configuration (insecure gRPC port, no authentication) maximizes exposure for developers who deploy without additional hardening
• Physical robotics deployments face an additional risk vector: a compromised PolicyServer could issue malicious action commands to actuators

Outlook

The CVE-2026-25874 disclosure will likely accelerate a broader security review of the AI infrastructure ecosystem. LeRobot is not unique in its use of pickle serialization — the format appears throughout Python-based ML codebases because of its convenience and historical precedent. PyTorch model files (.pt) use pickle by default, and numerous training and inference pipelines serialize Python objects to disk or over the network using the same mechanism.

Hugging Face's safetensors format was developed precisely to address this problem for model weights, but its adoption has not extended uniformly to inference infrastructure components. The LeRobot vulnerability serves as a reminder that the attack surface of AI systems extends well beyond the model itself into the surrounding infrastructure.

Expect an official patch from the Hugging Face LeRobot team in the near term. In the meantime, the three concrete mitigations provided by researchers — replacing pickle with protobuf or safetensors, enabling TLS via add_secure_port(), and adding gRPC interceptor-based authentication — are actionable today with moderate engineering effort.

Conclusion

CVE-2026-25874 is a textbook example of how dangerous network-facing Python services become when they combine unsafe serialization with absent transport security and no authentication. For any organization running LeRobot in a networked environment — research lab, startup, or production facility — immediate action is required: isolate the PolicyServer behind a firewall, restrict gRPC port access to known clients, and begin the migration away from pickle serialization. The vulnerability is critical, unpatched, and trivially exploitable.

Editor's Verdict

Critical RCE Flaw in Hugging Face LeRobot: CVE-2026-25874 Leaves 21,000+ Users Exposed is a workable proposition that fills a clear gap, even if it doesn't fundamentally change the landscape.

The strongest case for paying attention is public disclosure with full technical detail enables defenders to assess their exposure and apply mitigations immediately, which raises the bar for what readers should now expect from peers in this space. Reinforcing that, concrete remediation steps (replace pickle, enable TLS, add gRPC authentication) are actionable today without waiting for an official patch adds practical value rather than just headline appeal. The broader signal worth registering is straightforward: CVSS 9.8 places CVE-2026-25874 among the most severe vulnerability disclosures affecting AI infrastructure in 2026; the combination of no authentication and unsafe deserialization is maximally dangerous. On the other side of the ledger, vulnerability is unpatched as of public disclosure — no official fix available from Hugging Face as of April 28, 2026 is a real constraint, not a marketing footnote, and it should factor into any serious decision. Layered on top of that, default deployment configuration (insecure gRPC, no auth) maximizes exposure; developers who followed documentation are at risk narrows the set of teams for whom this is an obvious yes.

For AI industry watchers, strategy teams, and decision-makers tracking platform shifts, the smart move is to track its trajectory and revisit once the rough edges are filed down. For everyone else, the safer posture is to monitor coverage and revisit once the use cases that matter to your team are demonstrated in the wild.