A critical unpatched vulnerability has been disclosed in Hugging Face LeRobot, an open-source robotics platform used for AI-driven robotics research and development. The flaw, tracked as CVE-2026-25874, could allow an unauthenticated, network-reachable attacker to execute arbitrary code on affected systems.
The vulnerability stems from unsafe deserialization in LeRobot’s async inference pipeline, where pickle.loads() is used to process data received over unauthenticated gRPC channels without TLS. By sending a crafted pickle payload through affected gRPC calls, an attacker could execute commands on the host running the PolicyServer or robot client components.
Why This Matters
Although LeRobot has primarily been used as a research and prototyping tool, AI and robotics frameworks are increasingly being adopted in production environments. This creates a larger security risk when experimental components are exposed to internal networks, sensitive datasets, model files, API keys, SSH credentials, or compute infrastructure.
Successful exploitation could allow attackers to compromise the PolicyServer host, affect connected robot clients, steal sensitive data, move laterally across the network, disrupt AI inference operations, or sabotage robotics workflows. In environments where robotics systems interact with physical processes, the potential impact may extend beyond traditional IT compromise.
Security researchers have validated the vulnerability against LeRobot version 0.4.3. The issue reportedly remains unpatched, with a fix planned for a future release, version 0.6.0.
Recommended Actions
Organizations using Hugging Face LeRobot should immediately review whether any PolicyServer or robot client components are deployed in their environment.
Until a patch is available, OP Innovate recommends:
- Restricting network access to LeRobot PolicyServer components.
- Ensuring LeRobot services are not exposed to the internet.
- Placing affected services behind VPN, firewall, or trusted network controls.
- Disabling or isolating unauthenticated gRPC access where possible.
- Monitoring for suspicious gRPC traffic, unexpected process execution, or abnormal activity on hosts running LeRobot.
- Rotating exposed API keys, SSH credentials, or model access tokens if compromise is suspected.
- Tracking the upstream fix and upgrading once a patched version is released.
Stay Safe. Stay Secure
OP Innovate Research Team
