Skip to content

CVE-2026-44827: bump diffusers to 0.38.0 to fix arbitrary code execution#944

Merged
openshift-merge-bot[bot] merged 1 commit into
opendatahub-io:mainfrom
kapil27:CVE-2026-44827-diffusers-midstream
Jul 2, 2026
Merged

CVE-2026-44827: bump diffusers to 0.38.0 to fix arbitrary code execution#944
openshift-merge-bot[bot] merged 1 commit into
opendatahub-io:mainfrom
kapil27:CVE-2026-44827-diffusers-midstream

Conversation

@kapil27

@kapil27 kapil27 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Add diffusers>=0.38.0 as direct dependency in Pipfile and update Pipfile.lock for cuda128-torch290 and rocm64-torch290 training images to fix CVE-2026-44827 (arbitrary code execution via malicious None.py model loading).

Resolves: RHOAIENG-69899, RHOAIENG-69897

Description

How Has This Been Tested?

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

  • New Features
    • Added support for a newer image-generation library in the training runtime, enabling workflows that rely on diffusers version 0.38.0 or later.

Add diffusers>=0.38.0 as direct dependency in Pipfile and update
Pipfile.lock for cuda128-torch290 and rocm64-torch290 training images
to fix CVE-2026-44827 (arbitrary code execution via malicious None.py
model loading).

Resolves: RHOAIENG-69899, RHOAIENG-69897
Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci openshift-ci Bot requested review from astefanutti and kryanbeane July 2, 2026 10:29
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Two Pipfiles for training runtime images (py312-cuda128-torch290 and py312-rocm64-torch290) had a new dependency entry added: diffusers = ">=0.38.0" in the [packages] section. No other changes were made.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Changes

File Change
images/runtime/training/py312-cuda128-torch290/Pipfile Added diffusers>=0.38.0
images/runtime/training/py312-rocm64-torch290/Pipfile Added diffusers>=0.38.0

Security note: Version constraint is unpinned (>=0.38.0), allowing floating minor/patch upgrades — no hash pinning or exact version lock visible in this diff. This is a supply-chain risk vector (CWE-1104: Use of Unmaintained Third-Party Components; relevant to CWE-829: Inclusion of Functionality from Untrusted Control Sphere if package source integrity isn't otherwise verified via Pipfile.lock). Confirm Pipfile.lock is regenerated and hash-locked before merge — unlocked ranges permit dependency confusion/typosquatting exposure at build time.

Related issues: None specified in provided data.

Related PRs: None specified in provided data.

Suggested labels: dependencies, supply-chain

Suggested reviewers: None specified in provided data.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
No Injection Vectors ⚠️ Warning CWE-78: .github/workflows/odh-release.yml shells untrusted workflow_dispatch input into gh release view/create without quoting or validation. Quote and validate version before shell use; pass it via env and reject metacharacters, or invoke gh with a safely escaped argument array.
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the diffusers dependency bump and the CVE-2026-44827 code-execution fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed Real CVE fix with linked Jira issues and a direct dependency floor bump; only one weak templating signal, not two categories of spam/low-quality evidence.
No Hardcoded Secrets ✅ Passed No CWE-798 indicators found; the PR only adds a dependency and refreshes lockfile hashes, with no secrets, embedded creds, or private keys in changed files.
No Weak Cryptography ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or weak secret comparisons; only diffusers version/hash bumps in Pipfiles/Pipfile.locks. CWE-327 not implicated.
No Privileged Containers ✅ Passed No changed manifest sets privileged/root runtime; the only Dockerfile change keeps final USER 1001 and adds no privilege flags.
No Sensitive Data In Logs ✅ Passed No logging statements or sensitive fields were added in the diff; only dependency metadata changed, so CWE-532/CWE-200 exposure is not introduced.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
images/runtime/training/py312-cuda128-torch290/Pipfile (1)

17-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unbounded floating constraint diverges from sibling pinning convention.

CVE-2026-44827 (CWE-94, RCE via None.py, CVSS 8.8) is real and fixed in diffusers 0.38.0 — the version floor is correct. However, >=0.38.0 has no upper bound, while the adjacent datasets = "==4.3.0" entry (Line 16) is exactly pinned. An unbounded floor means any future pipenv lock --dev re-run silently pulls in whatever diffusers ships next (breaking API changes or a newly discovered vuln) without an explicit review gate — Pipfile.lock hashes only protect until the next intentional re-lock. For a security-driven training image, prefer a pin or capped range consistent with the rest of the file.

🔒 Suggested tighter constraint
-diffusers = ">=0.38.0"
+diffusers = "==0.38.0"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/runtime/training/py312-cuda128-torch290/Pipfile` at line 17, The
diffusers dependency in the Pipfile is only lower-bounded, which is inconsistent
with the sibling exact pinning and allows future unreviewed upgrades. Update the
diffusers constraint in the Pipfile to a tighter, security-reviewable version
specifier consistent with the existing dependency style, keeping the fixed
minimum from the current requirement while adding an upper bound or exact pin.
Use the diffusers entry as the target for the change and keep it aligned with
the surrounding pinned packages such as datasets.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@images/runtime/training/py312-cuda128-torch290/Pipfile`:
- Line 17: The diffusers dependency in the Pipfile is only lower-bounded, which
is inconsistent with the sibling exact pinning and allows future unreviewed
upgrades. Update the diffusers constraint in the Pipfile to a tighter,
security-reviewable version specifier consistent with the existing dependency
style, keeping the fixed minimum from the current requirement while adding an
upper bound or exact pin. Use the diffusers entry as the target for the change
and keep it aligned with the surrounding pinned packages such as datasets.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0f1c70b2-1993-4fba-b3af-959e4f8972da

📥 Commits

Reviewing files that changed from the base of the PR and between f4da9cf and fca167d.

⛔ Files ignored due to path filters (2)
  • images/runtime/training/py312-cuda128-torch290/Pipfile.lock is excluded by !**/*.lock
  • images/runtime/training/py312-rocm64-torch290/Pipfile.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • images/runtime/training/py312-cuda128-torch290/Pipfile
  • images/runtime/training/py312-rocm64-torch290/Pipfile

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sutaakar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 57f954a into opendatahub-io:main Jul 2, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants