CVE-2026-0773 - Vulnerability Details

- Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability

Description

Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845.

Published: 2026-01-23

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can send specially crafted data to the add_tool endpoint of Upsonic’s service, which listens on TCP port 7541. The server deserializes the payload without validating it, allowing execution of arbitrary code in the service account context. This flaw is a classic deserialization weakness (CWE‑502) that can compromise confidentiality, integrity, and availability of the affected system. The vulnerability requires no authentication, giving remote attackers full control over the target once the endpoint is reachable.

Affected Systems

The flaw affects all installations of Upsonic’s Upsonic product. No specific version range is provided in the advisory, so any deployment running the vulnerable add_tool endpoint contains the vulnerability.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as Critical, confirming the potential for complete system compromise. Although the EPSS score is below 1 %, indicating a low current exploitation probability, the lack of authentication and remote reachability means this vulnerability can be abused once traffic to port 7541 is allowed. The advisory does not place it in the KEV catalog, but the high severity and remote nature warrant urgent attention. Exploitation requires only network access to the service port; no additional credentials or local privileges are needed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Upsonic

unknown

Version	Status	Constraints
`0.52.1`	affected	—

No data.

Vendor	Product	Confidence	Versions
Upsonic	Upsonic	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest patched version of Upsonic that resolves the deserialization issue
If an immediate update is not possible, block or restrict inbound traffic to TCP port 7541 using a firewall or network ACL
Disable the add_tool endpoint or remove the service if it is not required for operational purposes
Apply an upstream patch from the vendor or use a custom wrapper that sanitizes incoming payloads before deserialization

Generated by OpenCVE AI on April 18, 2026 at 03:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00954.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-042/

History

Fri, 23 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Upsonic Upsonic upsonic
Vendors & Products		Upsonic Upsonic upsonic

Fri, 23 Jan 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845.
Title		Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability
Weaknesses		CWE-502
References		https://www.zerodayinitiative.com/advisories/ZDI-26-042/
Metrics		cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Upsonic Upsonic

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-01-23T03:29:05.351Z

Updated: 2026-01-23T16:26:49.540Z

Reserved: 2026-01-08T22:50:37.089Z

Link: CVE-2026-0773

Vulnrichment

Updated: 2026-01-23T16:26:45.696Z

NVD

Status : Deferred

Published: 2026-01-23T04:16:04.493

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0773

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object