Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.
AnalysisAI
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Technical ContextAI
The Adversarial Robustness Toolbox is a Python library for machine learning security, providing techniques to evaluate and defend ML models against adversarial attacks. The vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the Kubeflow pipeline integration component that loads PyTorch model weights. PyTorch's torch.load() function uses Python's Pickle serialization by default, which can execute arbitrary code during deserialization. Python 3.13+ and recent PyTorch versions introduced the weights_only=True parameter to restrict deserialization to tensor data only, preventing code execution. ART versions through 1.20.1 omit this safeguard, allowing an attacker who controls model file sources (via model_id parameter manipulation or object storage compromise) to inject malicious Pickle payloads that execute when the robustness evaluation pipeline loads the model. This is a classic supply chain attack vector in ML workflows where model artifacts are treated as data rather than potentially executable code.
RemediationAI
Upgrade to Adversarial Robustness Toolbox version 1.20.2 or later when released, which should implement torch.load() with weights_only=True parameter to prevent arbitrary object deserialization. Monitor the official GitHub repository (https://github.com/Trusted-AI/adversarial-robustness-toolbox) for security patches and release announcements. Until patched versions are available, implement these compensating controls: (1) Restrict model file sources to cryptographically signed and validated storage locations with strict access controls - this prevents untrusted model injection but requires PKI infrastructure overhead. (2) Run ART Kubeflow pipelines in isolated containers with minimal privileges using security contexts (readOnlyRootFilesystem, runAsNonRoot, dropped capabilities) and network segmentation - limits post-exploitation blast radius but does not prevent initial code execution. (3) Implement input validation on model_id parameters to allowlist only approved storage paths/URLs - reduces attack surface but can be bypassed if storage itself is compromised. (4) Deploy runtime application self-protection (RASP) or syscall monitoring to detect unexpected process execution from Python model loading contexts - adds detection layer but may impact pipeline performance. Note that none of these workarounds eliminate the underlying deserialization risk; patching is the only complete remediation. Advisory details available at https://nvd.nist.gov/vuln/detail/CVE-2026-31229.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29552
GHSA-wg3p-6q3h-p6w7