CVE-2026-31221 - Vulnerability Details

Description

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.

Published: 2026-05-12

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An insecure deserialization flaw in PyTorch-Lightning versions 2.6.0 and earlier allows a malicious checkpoint file to be loaded without the safety guard weight_only=True. The deserialization of arbitrary Python objects via Pickle gives an attacker the ability to execute arbitrary code during the load_from_checkpoint() process, compromising confidentiality, integrity, and availability of the target system.

Affected Systems

The vulnerability affects PyTorch-Lightning packages released up to and including version 2.6.0. Users of these versions that load checkpoints from external sources are at risk.

Risk and Exploitability

No CVSS score has been published for this issue, and the EPSS score is not available. The flaw is listed as not being in the CISA KEV catalog. The likely attack vector is that a remote attacker supplies a maliciously crafted checkpoint file, which the victim then loads. If the attacker can influence the checkpoint loading step, arbitrary code execution can be achieved. The exploitation requires the victim to run code that loads the deserialized object, which is common in model deployment pipelines.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Lightningai

Pytorch Lightning

95%

Version	Status	Scheme	Platform
`[0,2.6.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PyTorch-Lightning to a version released after 2.6.0 where load_from_checkpoint() uses weights_only=True or applies the vendor patch.
If an upgrade is impractical, modify the loading logic to call torch.load(..., weights_only=True) directly or implement an equivalent safety check before deserializing the checkpoint.
Implement strict validation of checkpoint files, ensuring they originate from trusted sources, and avoid loading checkpoints from external or untrusted locations.

Generated by OpenCVE AI on May 12, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Lightning-AI/pytorch-lightning
https://www.notion.so/CVE-2026-31221-35d1e1393188815f8db7c4fd08076639

History

Tue, 12 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lightningai Lightningai pytorch Lightning
Vendors & Products		Lightningai Lightningai pytorch Lightning

Tue, 12 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		Insecure Deserialization in PyTorch-Lightning Allows Arbitrary Code Execution

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.
References		https://github.com/Lightning-AI/pytorch-lightning https://www.notion.so/CVE-2026-31221-35d1e1393188815f8db7c4fd08076639

Subscriptions

Lightningai Pytorch Lightning

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-12T00:00:00.000Z

Updated: 2026-05-12T15:09:17.157Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31221

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:14.020

Modified: 2026-05-12T16:38:07.807

Link: CVE-2026-31221

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T19:15:22Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object