Description
A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Deserialization vulnerability potentially enabling arbitrary code execution
Action: Patch Pending
AI Analysis

Impact

The vulnerability resides in the RedisCache function of datapizza-ai 0.0.2 and allows an attacker to manipulate data that is subsequently deserialized, which could lead to execution of arbitrary code. The CVSS 2.1 score indicates a low overall risk, but the nature of deserialization attacks means that a successful exploitation could compromise the system’s integrity if payloads are accepted from an attacker-controlled source. The description emphasizes that the exploit is difficult to perform, requiring local network access and a high level of complexity.

Affected Systems

Datapizza-labs’ datapizza-ai version 0.0.2 is affected, specifically the RedisCache implementation located in datapizza-ai‑cache/redis/datapizza/cache/redis/cache.py. No other versions or products are listed as vulnerable in the current data.

Risk and Exploitability

The exploitation probability is very low, with an EPSS score of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to be on the local network and involves high complexity, indicating that a successful compromise would most likely stem from a privileged local user or a compromised device within the same network segment. Because the vendor’s response was non‑existent, there is currently no official fix, which increases the importance of mitigating the attack surface and monitoring for any future patch or advisory.

Generated by OpenCVE AI on April 17, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update datapizza-ai to a released patched version as soon as one is available
  • Segment the network to restrict local access to Redis instances used by datapizza-ai
  • Disable or isolate any untrusted Redis endpoints that could be exploited
  • Apply safe deserialization practices or disable the vulnerable RedisCache function if a patch is not yet available
  • Regularly monitor vulnerability databases and vendor announcements for updates

Generated by OpenCVE AI on April 17, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hg58-x52p-859c datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache
History

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Datapizza datapizza Ai
CPEs cpe:2.3:a:datapizza:datapizza-ai:0.0.2:*:*:*:*:*:*:* cpe:2.3:a:datapizza:datapizza_ai:0.0.2:*:*:*:*:*:*:*
Vendors & Products Datapizza datapizza-ai
Datapizza datapizza Ai

Wed, 25 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Datapizza
Datapizza datapizza-ai
CPEs cpe:2.3:a:datapizza:datapizza-ai:0.0.2:*:*:*:*:*:*:*
Vendors & Products Datapizza
Datapizza datapizza-ai

Mon, 23 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Datapizza-labs
Datapizza-labs datapizza-ai
Vendors & Products Datapizza-labs
Datapizza-labs datapizza-ai

Mon, 23 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title datapizza-labs datapizza-ai cache.py RedisCache deserialization
Weaknesses CWE-20
CWE-502
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:A/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.6, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Datapizza Datapizza Ai
Datapizza-labs Datapizza-ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T17:04:09.455Z

Reserved: 2026-02-22T08:12:14.812Z

Link: CVE-2026-2970

cve-icon Vulnrichment

Updated: 2026-02-23T17:04:04.709Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T05:16:20.400

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses