Skip to main content

Adversarial Robustness Toolbox CVE-2026-31229

| EUVDEUVD-2026-29552 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-wg3p-6q3h-p6w7
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 16:23 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
9.8 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.

AnalysisAI

Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

Technical ContextAI

The Adversarial Robustness Toolbox is a Python library for machine learning security, providing techniques to evaluate and defend ML models against adversarial attacks. The vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the Kubeflow pipeline integration component that loads PyTorch model weights. PyTorch's torch.load() function uses Python's Pickle serialization by default, which can execute arbitrary code during deserialization. Python 3.13+ and recent PyTorch versions introduced the weights_only=True parameter to restrict deserialization to tensor data only, preventing code execution. ART versions through 1.20.1 omit this safeguard, allowing an attacker who controls model file sources (via model_id parameter manipulation or object storage compromise) to inject malicious Pickle payloads that execute when the robustness evaluation pipeline loads the model. This is a classic supply chain attack vector in ML workflows where model artifacts are treated as data rather than potentially executable code.

RemediationAI

Upgrade to Adversarial Robustness Toolbox version 1.20.2 or later when released, which should implement torch.load() with weights_only=True parameter to prevent arbitrary object deserialization. Monitor the official GitHub repository (https://github.com/Trusted-AI/adversarial-robustness-toolbox) for security patches and release announcements. Until patched versions are available, implement these compensating controls: (1) Restrict model file sources to cryptographically signed and validated storage locations with strict access controls - this prevents untrusted model injection but requires PKI infrastructure overhead. (2) Run ART Kubeflow pipelines in isolated containers with minimal privileges using security contexts (readOnlyRootFilesystem, runAsNonRoot, dropped capabilities) and network segmentation - limits post-exploitation blast radius but does not prevent initial code execution. (3) Implement input validation on model_id parameters to allowlist only approved storage paths/URLs - reduces attack surface but can be bypassed if storage itself is compromised. (4) Deploy runtime application self-protection (RASP) or syscall monitoring to detect unexpected process execution from Python model loading contexts - adds detection layer but may impact pipeline performance. Note that none of these workarounds eliminate the underlying deserialization risk; patching is the only complete remediation. Advisory details available at https://nvd.nist.gov/vuln/detail/CVE-2026-31229.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-31229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy