Bug 2479907 (CVE-2026-31072) - CVE-2026-31072 apscheduler: APScheduler: Remote Code Execution via Insecure Deserialization
Summary: CVE-2026-31072 apscheduler: APScheduler: Remote Code Execution via Insecure D...
Keywords:
Status: NEW
Alias: CVE-2026-31072
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-19 16:01 UTC by OSIDB Bzimport
Modified: 2026-06-02 08:28 UTC (History)
54 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-19 16:01:25 UTC
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers


Note You need to log in before you can comment on or make changes to this bug.