Critical Unpatched RCE Vulnerability in Hugging Face LeRobot Robotics Platform

beyondmachines1@infosec.exchange

Critical Unpatched RCE Vulnerability in Hugging Face LeRobot Robotics Platform

Hugging Face's LeRobot robotics platform contains a critical unpatched vulnerability (CVE-2026-25874) that allows unauthenticated remote code execution via unsafe pickle deserialization. Attackers can exploit exposed gRPC endpoints to take full control of robotics servers and connected hardware.

**If you're using Hugging Face LeRobot, make sure all robot devices and servers are isolated from the internet and accessible only from trusted networks. Until version 0.6.0 is released with a fix for CVE-2026-25874, run LeRobot as a non-root user inside restricted containers, and monitor for unusual processes or outbound traffic.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-unpatched-rce-vulnerability-in-hugging-face-lerobot-robotics-platform-z-j-o-7-g/gD2P6Ple2L