Skip to main content

Snorkel CVE-2026-31224

| EUVDEUVD-2026-29508 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-gpx5-7xm4-229w
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:56 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 12, 2026 - 00:00 nvd
HIGH 8.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 pypi packages depend on snorkel (4 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.10.0.

DescriptionCVE.org

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

AnalysisAI

Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.

Technical ContextAI

This vulnerability affects the Snorkel weak supervision framework, specifically the MultitaskClassifier component used for multi-task learning workflows. The root cause is CWE-502 (Deserialization of Untrusted Data) in the model loading pipeline. PyTorch's torch.load() function uses Python's pickle module by default, which can deserialize arbitrary Python objects including executable code. Modern PyTorch versions support weights_only=True to restrict deserialization to tensor data only, but Snorkel v0.10.0 and earlier fail to enable this security parameter. The vulnerable code path is MultitaskClassifier.load(), which ML practitioners use to restore trained model checkpoints. This follows a pattern seen in other ML frameworks where backwards compatibility with older pickle-based model formats creates security risks when loading untrusted files.

RemediationAI

Upgrade to Snorkel version newer than v0.10.0 once a patched release is published by the snorkel-team maintainers. No vendor-released patch identified at time of analysis - monitor the GitHub repository at https://github.com/snorkel-team/snorkel for security updates and watch for announcements regarding CVE-2026-31224 remediation. Until an official patch is available, implement these compensating controls with noted trade-offs: (1) Load model files only from trusted, integrity-verified sources (cryptographic signatures, internal repositories with access controls) - this prevents social engineering attacks but requires establishing model provenance infrastructure. (2) Execute all model loading operations in sandboxed environments (containers with no network access, restricted file system permissions, separate user contexts) - limits blast radius if malicious model is loaded but adds operational complexity to ML workflows. (3) Monkey-patch the vulnerable method to enforce weights_only=True in torch.load() calls if using PyTorch ≥1.13.0 - this is the most effective technical control but may break compatibility with legitimately complex model architectures that require custom object deserialization. (4) Implement file integrity monitoring on model directories and require peer review before loading external models - adds human verification step but slows iteration cycles. Organizations should assess their model supply chain security posture and implement defense-in-depth appropriate to their risk tolerance.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-31224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy