Skip to main content

PyTorch Lightning CVE-2026-58659

| EUVDEUVD-2026-44751 HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-07-15 VulnCheck GHSA-qqmf-gpg7-g8gw
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local because a checkpoint file must be loaded (AV:L) with required victim interaction (UI:R); crafting the file needs no attacker privileges (PR:N), and code execution yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 17:46 vuln.today
Analysis Generated
Jul 15, 2026 - 17:46 vuln.today
CVE Published
Jul 15, 2026 - 17:02 cve.org
HIGH 8.4

DescriptionCVE.org

PyTorch Lightning through 2.6.5, fixed in commit d710d68, contains a remote code execution vulnerability in the _load_state function that imports and executes attacker-controlled module names from checkpoint _instantiator hyperparameters. Attackers can craft malicious checkpoint files that bypass weights_only=True protections to execute arbitrary code when LightningModule.load_from_checkpoint is called.

AnalysisAI

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .ckpt with _instantiator=os.system
Delivery
Distribute checkpoint via model hub or shared storage
Exploit
Victim calls load_from_checkpoint
Execution
_load_state imports attacker module path
Impact
Arbitrary code executes with victim privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim load an attacker-supplied checkpoint via LightningModule.load_from_checkpoint (the underlying _load_state path); specifically the malicious .ckpt must set hyper_parameters['_instantiator'] to an arbitrary importable path (the POC/test uses 'os.system'), which unpatched Lightning imports and executes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) correctly frames this as a local, low-complexity, unauthenticated flaw whose exploitation hinges on active user interaction - the victim must load an attacker-supplied checkpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes an attractive pretrained model checkpoint (e.g., on a model-sharing hub or shared drive) whose hyper_parameters include _instantiator set to a dangerous import path such as os.system. When a data scientist runs LightningModule.load_from_checkpoint on the file - even with weights_only=True - Lightning imports and executes that path, running arbitrary code with the victim's privileges. …
Remediation Upgrade to a PyTorch Lightning build containing fix commit d710d689510d50e800f53b3cd773cbca20b1f86f (PR #21832), which restricts the checkpoint _instantiator hyperparameter to an allowlist (_ALLOWED_INSTANTIATORS = lightning.pytorch.cli.instantiate_module and pytorch_lightning.cli.instantiate_module) and raises a ValueError on any other path; the upstream fix is confirmed, but a specific tagged/PyPI release version is not stated in the provided data, so verify the fixed version against the vendor advisory (https://www.vulncheck.com/advisories/pytorch-lightning-arbitrary-code-execution-via-instantiator-hyperparameter) before pinning. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running PyTorch Lightning and determine current versions in use across development, testing, and production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

CVE-2023-39913 HIGH
8.8 Nov 08

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK

Share

CVE-2026-58659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy