Description
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of arbitrary Python objects via the unsafe pickle module. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the system running the Ludwig prediction.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ludwig framework, as used in versions 0.10.4 and earlier, contains an insecure deserialization flaw in its predict() method. When a user supplies a dataset file path, the framework automatically determines the format; if the file is a pickle (.pkl) it is loaded directly with pandas.read_pickle() without any validation or security checks. This permits a malicious attacker to craft a pickle file that deserializes arbitrary Python objects, leading to remote code execution on the system running the Ludwig prediction engine.

Affected Systems

The vulnerability affects every installation of the Ludwig framework 0.10.4 or earlier, regardless of the hosting environment. Any deployment that exposes the predict() API and accepts local file paths can be exploited. The issue is vendor‑agnostic within this product line; it does not affect downstream packages that only use stable, non‑pickle inputs.

Risk and Exploitability

The attack vector is remote, requiring an attacker to send a crafted pickle file to the predict endpoint over the network. The EPSS score is reported as < 1% and the vulnerability is not listed in the CISA KEV catalog, but the absence of a remedial patch in exposed deployments makes exploitation likely. With a CVSS score of 9.8 the vulnerability is considered critical, and the potential for arbitrary code execution is high. Therefore, the risk remains high for any system that runs the vulnerable Ludwig version and is reachable by untrusted users.

Generated by OpenCVE AI on May 14, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ludwig framework to 0.11 or later to remove the insecure deserialization path.
  • If upgrading is delayed, reconfigure the predict() API to reject .pkl files or implement explicit validation of the input file type before passing it to pandas.read_pickle().
  • Restrict the network exposure of the Ludwig predict service so that only trusted internal hosts can invoke it, using firewall rules or network segmentation.

Generated by OpenCVE AI on May 14, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wcr3-gm9f-f87q Ludwig framework is vulnerable to insecure deserialization through its predict() method.
History

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in Ludwig Framework Allows Remote Code Execution via Predict Method

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ludwig-ai
Ludwig-ai ludwig
Vendors & Products Ludwig-ai
Ludwig-ai ludwig

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in Ludwig Framework Allows Remote Code Execution via Predict Method
Weaknesses CWE-502

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of arbitrary Python objects via the unsafe pickle module. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the system running the Ludwig prediction.
References

Subscriptions

Ludwig-ai Ludwig
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T19:54:23.672Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31237

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:16:52.087

Modified: 2026-05-14T20:17:03.267

Link: CVE-2026-31237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:00:10Z

Weaknesses