Bug 2476638 (CVE-2026-31229)

Summary: CVE-2026-31229 adversarial-robustness-toolbox: kubeflow: python: Adversarial Robustness Toolbox (ART): Remote code execution via insecure deserialization in Kubeflow component
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbrownin, dfreiber, drow, jburrell, jkoehler, ljawale, lphiri, luizcosta, nweather, rbobbitt, rhel-process-autobot, sdawley, teagle, vkumar, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Adversarial Robustness Toolbox (ART), specifically within its Kubeflow component. This vulnerability, categorized as insecure deserialization (CWE-502), occurs when loading model weights without proper security restrictions. A remote attacker can exploit this by uploading a maliciously crafted model file or by controlling a parameter to point to such a file. Successful exploitation allows for the execution of arbitrary code on the affected system, leading to remote code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-12 18:04:35 UTC
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.