A critical remote code execution flaw in LLaMA-Factory (through version 0.9.5) lets anyone with WebUI access run arbitrary Python code on the host by supplying a malicious model path.
What Is It
CVE-2026-58116 is a remote code execution vulnerability in LLaMA-Factory, the popular LLM fine-tuning toolkit by hiyouga. Attackers with access to the WebUI can execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input, unvalidated, into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter. This causes the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository, running with the privileges of the server process. It is classified under CWE-94 (code injection) and CWE-829 (inclusion of functionality from untrusted control sphere).
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), with a network attack vector, low attack complexity, and no privileges or user interaction required. The CVSS 4.0 score is 9.3. Successful exploitation yields full confidentiality, integrity, and availability impact; effectively complete compromise of the server running LLaMA-Factory. Because exploitation requires only WebUI access and no authentication is called out, any exposed instance is at serious risk.
What's Vulnerable
- Vendor/Product: hiyouga / LlamaFactory (LLaMA-Factory)
- Affected versions: All versions from 0 through 0.9.5 (inclusive)
- Attack surface: The Chat and Training interfaces of the WebUI
Patch Status
The supplied NVD record (published 2026-06-30, status "Received") does not list a fixed version, patch, or specific remediation guidance. There is no CISA KEV entry in the supplied material, so active exploitation is not confirmed by KEV at this time. Operators should restrict WebUI access and monitor for vendor updates.
Sources
- VulnCheck Advisory; LLaMA-Factory Remote Code Execution via WebUI Model Path: https://www.vulncheck.com/advisories/llama-factory-remote-code-execution-via-webui-model-path
- Proof-of-Concept Gist (henrrrychau): https://gist.github.com/henrrrychau/08d76ec672f42136bbc1449c4f2973f8