Which versions of LabOne Q are affected by CVE-2026-7584?

Zurich Instruments LabOne Q contains a critical deserialization vulnerability (CVE-2026-7584, CVSS 8.4) that allows arbitrary code execution when users open malicious experiment files, posing…. A patch is available.

LabOne Q CVE-2026-7584

Q: What is the CVSS score of CVE-2026-7584?

CVE-2026-7584 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26483 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-05-01 NCSC.ch

RCE Python Deserialization

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch released

May 04, 2026 - 18:23 nvd

Patch available

May 01, 2026 - 09:01 EUVD

Analysis Updated

May 01, 2026 - 08:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 01, 2026 - 08:22 vuln.today

cvss_changed

CVSS changed

May 01, 2026 - 08:22 NVD

7.8 (HIGH) 8.4 (HIGH)

Analysis Generated

May 01, 2026 - 08:00 vuln.today

EUVD ID Assigned

May 01, 2026 - 07:45 euvd

EUVD-2026-26483

Analysis Generated

May 01, 2026 - 07:45 vuln.today

CVE Published

May 01, 2026 - 07:21 nvd

HIGH 8.4

DescriptionNVD

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.

AnalysisAI

Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. …

RemediationAI

Within 24 hours: Identify all LabOne Q installations across the organization and notify users to avoid opening experiment files from untrusted sources; disable file sharing via email and unsecured channels. Within 7 days: Implement file validation procedures requiring experiment files to be scanned/reviewed before loading; consider air-gapping critical LabOne Q systems used for sensitive research. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7584 vulnerability details – vuln.today

Back

LabOne Q CVE-2026-7584

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

LabOne Q CVE-2026-7584

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code