Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 pypi packages depend on snorkel (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.10.0.
DescriptionCVE.org
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
AnalysisAI
Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.
Technical ContextAI
This vulnerability affects the Snorkel weak supervision framework, specifically the MultitaskClassifier component used for multi-task learning workflows. The root cause is CWE-502 (Deserialization of Untrusted Data) in the model loading pipeline. PyTorch's torch.load() function uses Python's pickle module by default, which can deserialize arbitrary Python objects including executable code. Modern PyTorch versions support weights_only=True to restrict deserialization to tensor data only, but Snorkel v0.10.0 and earlier fail to enable this security parameter. The vulnerable code path is MultitaskClassifier.load(), which ML practitioners use to restore trained model checkpoints. This follows a pattern seen in other ML frameworks where backwards compatibility with older pickle-based model formats creates security risks when loading untrusted files.
RemediationAI
Upgrade to Snorkel version newer than v0.10.0 once a patched release is published by the snorkel-team maintainers. No vendor-released patch identified at time of analysis - monitor the GitHub repository at https://github.com/snorkel-team/snorkel for security updates and watch for announcements regarding CVE-2026-31224 remediation. Until an official patch is available, implement these compensating controls with noted trade-offs: (1) Load model files only from trusted, integrity-verified sources (cryptographic signatures, internal repositories with access controls) - this prevents social engineering attacks but requires establishing model provenance infrastructure. (2) Execute all model loading operations in sandboxed environments (containers with no network access, restricted file system permissions, separate user contexts) - limits blast radius if malicious model is loaded but adds operational complexity to ML workflows. (3) Monkey-patch the vulnerable method to enforce weights_only=True in torch.load() calls if using PyTorch ≥1.13.0 - this is the most effective technical control but may break compatibility with legitimately complex model architectures that require custom object deserialization. (4) Implement file integrity monitoring on model directories and require peer review before loading external models - adds human verification step but slows iteration cycles. Organizations should assess their model supply chain security posture and implement defense-in-depth appropriate to their risk tolerance.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29508
GHSA-gpx5-7xm4-229w