Description
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Adversarial Robustness Toolbox (ART) up to version 1.20.1 contains an insecure deserialization flaw in its Kubeflow component’s model‑loading procedure. By calling torch.load() without the weights_only=True protection, the code allows arbitrary Python objects to be deserialized via the Pickle module. The likely attack vector is an attacker who can upload a maliciously crafted model file (for example, model.pt) to the object storage referenced by the pipeline, or who can manipulate the model_id parameter to point to such a file. When the pipeline loads the model, the payload is executed, providing remote code execution privileges. Based on the description, the attacker must possess the ability to influence the model source—either by placing a malicious file in storage or by controlling the model_id reference. The effect is execution of arbitrary code in the process that runs the Kubeflow pipeline, potentially compromising the host, data, and any downstream services. The impact of this flaw is therefore a high‑severity Remote Code Execution risk, as the malicious code can run with the same permissions as the pipeline execution environment.

Affected Systems

This vulnerability affects any deployment of the ART library that utilizes the Kubeflow component for model loading, specifically when performing robustness evaluations from model files sourced via external object storage. The flaw exists in ART versions up to 1.20.1 and is mitigated in any subsequent release that enforces the weights_only=True restriction. No specific third‑party vendor is cited; the issue is tied to the ART codebase itself.

Risk and Exploitability

The CVSS score of 9.8 highlights a critical severity, and the EPSS score of < 1% indicates a very low but nonzero probability of exploitation. The description confirms remote code execution when an attacker supplies or references a malicious model file, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation reported publicly at this time. Nonetheless, the potential for widespread compromise warrants immediate attention, especially in environments that dynamically source model artifacts from shared repositories.

Generated by OpenCVE AI on May 13, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Adversarial Robustness Toolbox to a release that enforces weights_only=True on torch.load when loading model files, removing the insecure deserialization pathway.
  • If an immediate upgrade is not feasible, modify the Kubeflow pipeline or ART configuration to explicitly set weights_only=True for torch.load, ensuring only trusted model weights are deserialized and preventing execution of arbitrary objects.
  • Restrict the object storage locations accessed by the pipeline to trusted, access‑controlled storage, and validate any uploaded model files before loading to prevent malicious payload delivery.

Generated by OpenCVE AI on May 13, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in ART Kubeflow Component Enables Remote Code Execution

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Trusted-ai
Trusted-ai adversarial-robustness-toolbox
Vendors & Products Trusted-ai
Trusted-ai adversarial-robustness-toolbox

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in ART Kubeflow Component Enables Remote Code Execution
Weaknesses CWE-502

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.
References

Subscriptions

Trusted-ai Adversarial-robustness-toolbox
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T14:20:16.472Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31229

cve-icon Vulnrichment

Updated: 2026-05-13T14:19:24.837Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:16:51.160

Modified: 2026-05-13T16:16:38.880

Link: CVE-2026-31229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses