Summary

Hugging Face's LeRobot robotics platform contains a critical unpatched vulnerability (CVE-2026-25874) that allows unauthenticated remote code execution via unsafe pickle deserialization. Attackers can exploit exposed gRPC endpoints to take full control of robotics servers and connected hardware.

Take Action:

If you're using Hugging Face LeRobot, make sure all robot devices and servers are isolated from the internet and accessible only from trusted networks. Until version 0.6.0 is released with a fix for CVE-2026-25874, run LeRobot as a non-root user inside restricted containers, and monitor for unusual processes or outbound traffic.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines