Skip to main content

ESA AnomalyMatch EUVD-2026-33701

| CVE-2026-38950 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-01 mitre GHSA-84q4-pj7g-82qq
Checkpoint RCE Deserialization N A
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 21:23 vuln.today
Analysis Generated
Jun 01, 2026 - 21:23 vuln.today
CVSS changed
Jun 01, 2026 - 21:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.

AnalysisAI

Arbitrary code execution in ESA AnomalyMatch before 1.3.1 allows local attackers with low privileges to run code under the application's process by planting a malicious PyTorch checkpoint into a session directory, which is loaded via torch.load() with weights_only=False. No public exploit is identified at time of analysis, but the upstream fix (PR #9) and a third-party advisory (imlabs.info) confirm the unsafe-deserialization root cause and the migration to safetensors.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local foothold or supply chain access
Delivery
Plant crafted .pth/.pkl in session checkpoints directory
Exploit
Victim opens AnomalyMatch session
Install
torch.load deserializes attacker pickle
C2
__reduce__ executes arbitrary Python
Execute
Code runs as analyst user
Impact
Pivot, persist, or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to place a malicious model checkpoint file (.pth or .pkl) into a path AnomalyMatch will load - specifically the session's checkpoints/ subdirectory referenced by SessionIOHandler.load_model or load_model_checkpoint - and then have a legitimate user (or automated job) open that session so torch.load(..., weights_only=False) or pickle.load() is invoked on the attacker file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) frames this as a local, low-complexity, low-privilege exploit with full CIA impact - consistent with a researcher dropping a poisoned checkpoint into a shared session directory on a multi-user analysis host or shared HPC node. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged access on a shared analysis workstation (or who can drop a file into a network-mounted session directory used by AnomalyMatch) places a crafted .pth checkpoint whose pickle stream contains a __reduce__ payload invoking os.system or similar. When an analyst later opens that session in AnomalyMatch, SessionIOHandler.load_model calls torch.load(..., weights_only=False) and the payload executes with the analyst's privileges. …
Remediation Upgrade to ESA AnomalyMatch 1.3.1 or later, which replaces torch.save/torch.load and pickle.load with safetensors via the new anomaly_match/data_io/checkpoint_io module (see PR https://github.com/esa/AnomalyMatch/pull/9). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and document all ESA AnomalyMatch deployments and versions in use; restrict filesystem access to session directories to the application service account only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47747 HIGH
7.8 Jun 16

Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely a
CVE-2026-47750 HIGH
7.8 Jun 16

Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user

CVE-2026-47749 HIGH
7.8 Jun 16

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and
CVE-2026-54499 HIGH
7.5 Jun 19

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
CVE-2026-48775 MEDIUM
6.8 Jun 16

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary P

Share

EUVD-2026-33701 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy