Description
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insecure deserialization flaw in PyTorch-Lightning versions 2.6.0 and earlier allows a malicious checkpoint file to be loaded without the safety guard weight_only=True. The deserialization of arbitrary Python objects via Pickle gives an attacker the ability to execute arbitrary code during the load_from_checkpoint() process, compromising confidentiality, integrity, and availability of the target system.

Affected Systems

The vulnerability affects PyTorch-Lightning packages released up to and including version 2.6.0. Users of these versions that load checkpoints from external sources are at risk.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity, and the EPSS score is < 1%. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that a remote attacker supplies a maliciously crafted checkpoint file, which the victim then loads. If the attacker can influence the checkpoint loading step, arbitrary code execution can be achieved. The exploitation requires the victim to run code that loads the deserialized object, which is common in model deployment pipelines.

Generated by OpenCVE AI on May 15, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PyTorch-Lightning to a version released after 2.6.0 where load_from_checkpoint() uses weights_only=True or applies the vendor patch.
  • If an upgrade is impractical, modify the loading logic to call torch.load(..., weights_only=True) directly or implement an equivalent safety check before deserializing the checkpoint.
  • Implement strict validation of checkpoint files, ensuring they originate from trusted sources, and avoid loading checkpoints from external or untrusted locations.

Generated by OpenCVE AI on May 15, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-75m9-98v2-hjpm PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization
History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in PyTorch-Lightning Leads to Remote Code Execution

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in PyTorch-Lightning Allows Arbitrary Code Execution

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
CPEs cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Lightningai
Lightningai pytorch Lightning
Vendors & Products Lightningai
Lightningai pytorch Lightning

Tue, 12 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in PyTorch-Lightning Allows Arbitrary Code Execution

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.
References

Subscriptions

Lightningai Pytorch Lightning
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T18:05:39.679Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31221

cve-icon Vulnrichment

Updated: 2026-05-15T18:02:42.483Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T16:16:14.020

Modified: 2026-05-15T19:16:57.333

Link: CVE-2026-31221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T19:30:05Z

Weaknesses