Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

The newly disclosed CVE‑2026‑25874 highlights a classic yet dangerous misuse of Python’s pickle module within LeRobot’s async inference pipeline. By deserializing data received over unauthenticated gRPC channels, the PolicyServer component allows an attacker to inject a malicious pickle payload and gain full operating‑system control on the host. With a CVSS score of 9.3, the vulnerability is among the most severe in the open‑source robotics ecosystem, and its exploitation could cascade from the policy server to connected robots, exposing API keys, model files, and even physical actuation commands.

Beyond the immediate technical risk, the flaw raises broader concerns about security hygiene in AI‑driven automation. Hugging Face pioneered Safetensors as a safer alternative to pickle for machine‑learning artifacts, yet LeRobot’s core still relies on the insecure format for network‑level communication. This inconsistency illustrates how legacy code paths and experimental features can slip through code‑review processes, especially in research‑focused projects that transition to production. Organizations deploying LeRobot must now enforce network segmentation, TLS encryption, and strict access controls while awaiting the official 0.6.0 patch.

The incident also underscores the vital role of the open‑source community in surfacing and remediating vulnerabilities. Independent researchers Valentin Lobstein and “chenpinji” independently reported the issue, prompting Hugging Face to acknowledge the need for a substantial refactor. As robotics applications move from labs to factories and warehouses, vendors and users alike will need to prioritize secure serialization practices, adopt threat‑model‑driven development, and contribute patches upstream. The upcoming fix, combined with community‑driven hardening, will be a litmus test for how quickly the ecosystem can adapt to emerging security expectations.