CVE-2026-25874: Critical Unpatched RCE in Hugging Face's LeRobot Puts Robotics Hardware at Risk
A CVSS 9.8 vulnerability in LeRobot's PolicyServer uses Python pickle deserialization over an unauthenticated gRPC channel, giving remote attackers full code execution on GPU inference servers and the connected robot clients they control — no patch available yet.
CVE-2026-25874 is a critical remote code execution vulnerability in Hugging Face’s LeRobot — the open-source robotics learning framework used to train and deploy neural network policies on physical robots. CVSS score: 9.8. No patch is available as of April 28, 2026.
The flaw sits in the PolicyServer component inside LeRobot’s async inference module. When a policy server starts, it opens a gRPC channel using add_insecure_port() — no TLS, no authentication — and then deserializes incoming data with Python’s pickle.loads(). Pickle deserialization is a well-understood attack surface: a crafted pickle payload can execute arbitrary system commands during the deserialization call, before any application-level validation runs.
What makes this particularly dangerous is the deployment context. LeRobot policy servers run with elevated privileges to control robot hardware and typically sit on internal research networks that trust traffic from robotics workstations. An attacker who can reach the gRPC port — either on the same network or through a compromised connected client — sends a single malicious pickle payload and gets a shell. That shell has access to the GPU server running inference, any connected robot hardware, and whatever storage or compute is mounted on that machine.
Real robot deployments are the severe case. A compromised policy server can issue arbitrary joint commands to the robot client, which introduces both data theft and physical safety risks depending on the hardware involved.
What to do right now:
- Firewall the gRPC port. If your PolicyServer is exposed beyond localhost, block it at the network level immediately.
- Replace pickle with safe serialization. Switch the inference API to accept JSON or safetensors payloads. Pickle should never deserialize untrusted input.
- Add gRPC auth. Use gRPC token-based auth interceptors.
add_insecure_port()should not exist in a network-reachable service. - Monitor for exploitation. Review server logs for unexpected pickle payloads or unusual process spawning from the gRPC server process.
Hugging Face has not yet released a patch or official mitigation guide. The disclosure was published on April 28; the project’s GitHub issue tracker shows the LeRobot team is aware and actively working on a fix.
LeRobot has gained significant adoption in robotics research labs since its release in 2024, partly because Hugging Face has positioned it as the “Transformers for robotics” — the framework that makes it easy to train and deploy visuomotor policies on real hardware with minimal code. That adoption makes the attack surface meaningful.
Until a patched release ships, any LeRobot PolicyServer reachable from outside localhost is effectively an unauthenticated RCE endpoint. Treat it accordingly.