A vulnerability was found in huggingface diffusers up to 0.37.x. It has been declared as critical. This impacts the function from_pretrained of the file model_index.json of the component Pipeline Loading. Such manipulation of the argument custom_pipeline/trust_remote_code leads to improper authentication.

This vulnerability is uniquely identified as CVE-2026-45804. The attack can be launched remotely. No exploit exists.