Bug 2476634 (CVE-2026-31230) - CVE-2026-31230 adversarial-robustness-toolbox: Adversarial Robustness Toolbox: Arbitrary Code Execution via Command-Line Argument Injection
Summary: CVE-2026-31230 adversarial-robustness-toolbox: Adversarial Robustness Toolbox...
Keywords:
Status: NEW
Alias: CVE-2026-31230
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-12 18:04 UTC by OSIDB Bzimport
Modified: 2026-07-05 08:53 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-12 18:04:22 UTC
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the --clip_values and --input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which will be executed when eval() is called. The vulnerability can be exploited remotely if an attacker can control these arguments (e.g., through pipeline configuration or automated scripts), leading to arbitrary code execution on the system running the ART evaluation.


Note You need to log in before you can comment on or make changes to this bug.