A serious security vulnerability has been identified in LeRobot, an open-source robotics platform developed by Hugging Face, potentially allowing attackers to execute arbitrary code without authentication.
Tracked as CVE-2026-25874, the flaw carries a high severity rating of 9.3 and raises significant concerns for organizations using AI-driven robotics systems.
Root Cause of the Vulnerability
The issue originates from unsafe data handling within LeRobot’s asynchronous inference pipeline. Specifically, the platform relies on Python’s pickle module to deserialize incoming data, a method widely known for its security risks.
Security researchers found that the system processes serialized data received through gRPC communication channels that lack authentication and encryption. Because of this, a remote attacker can craft a malicious payload and send it to the system, which is then executed during deserialization.
How the Attack Works
The vulnerability exists in key communication functions such as SendPolicyInstructions, SendObservations, and GetActions. By exploiting these entry points, an attacker can inject a specially crafted pickle payload and trigger code execution on either the server or connected client systems.
Research from Resecurity indicates that the PolicyServer component is particularly exposed. If an attacker can access its network port, they can deliver malicious serialized data and gain control over the host system.
Potential Impact
This vulnerability poses a major risk due to the nature of AI and robotics environments, which often operate with elevated privileges and access to critical infrastructure.
Successful exploitation could result in:
- Unauthorized remote code execution without authentication
- Full compromise of the PolicyServer environment
- Manipulation or disruption of connected robotic systems
- Exposure of sensitive assets such as API keys, SSH credentials, and machine learning models
- Lateral movement across internal networks
- Service disruption, model corruption, or operational sabotage, potentially affecting physical safety
Disclosure and Current Status
The vulnerability was further analyzed by security researcher Valentin Lobstein, who confirmed its presence in LeRobot version 0.4.3. As of now, no official patch has been released, although a fix is expected in version 0.6.0.
Interestingly, the flaw had previously been reported by another researcher known as “chenpinji” in late 2025. The development team acknowledged the issue earlier this year, noting that the affected code requires significant redesign due to its experimental origins.
Developer Response and Future Direction
According to project lead Steven Palma, the platform was initially intended for research and prototyping, which contributed to limited focus on production-level security.
As adoption grows, the team has committed to improving security practices. Being an open-source project, LeRobot also benefits from community contributions in identifying and fixing vulnerabilities.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
