Bug 2476638 (CVE-2026-31229) - CVE-2026-31229 adversarial-robustness-toolbox: kubeflow: python: Adversarial Robustness Toolbox (ART): Remote code execution via insecure deserialization in Kubeflow component
Summary: CVE-2026-31229 adversarial-robustness-toolbox: kubeflow: python: Adversarial ...
Keywords:
Status: NEW
Alias: CVE-2026-31229
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-12 18:04 UTC by OSIDB Bzimport
Modified: 2026-07-08 07:11 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-12 18:04:35 UTC
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.


Note You need to log in before you can comment on or make changes to this bug.