Description
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted PyTorch model file, leading to arbitrary code execution on the system hosting the Ludwig model server.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ludwig framework up to version 0.10.4 defaults to loading model weight files with torch.load() without the security–restrictive weights_only="True" flag. This oversight permits the deserialization of arbitrary Python objects via the pickle module, a classic insecure deserialization flaw (CWE‑502). An attacker who can supply a maliciously crafted PyTorch model file is able to execute arbitrary code on the machine that starts the Ludwig model server, compromising confidentiality, integrity, and availability of the entire host system.

Affected Systems

The vulnerability impacts all installations of the Ludwig framework through version 0.10.4 when the serve command is used to start a model server. No specific vendor or product list is provided by the CNA, but anyone deploying Ludwig models with the default configuration of the serve component is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is < 1%, suggesting a low probability of exploitation on the global scale, but the existence of a high‑severity flaw means that attentive attackers with opportunity could still exploit it. The attack requires only that the server process load a malicious model file; therefore, an attacker with network or local access to the model serving endpoint could trigger the exploit. The vulnerability is not listed in the CISA KEV catalog, but its severity is high because arbitrary code execution can lead to complete system compromise.

Generated by OpenCVE AI on May 14, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Ludwig installation to version 0.10.5 or newer, where torch.load() is called with the weights_only="True" parameter to prevent arbitrary object deserialization.
  • If an upgrade is not immediately feasible, patch the model serving code or configuration to enforce weights_only="True" when loading model weight files, ensuring that no arbitrary Python objects are deserialized.
  • Restrict the world of accepted model files by validating signatures or checksums, and run the Ludwig model server with the least privilege necessary; consider isolating the service in a sandboxed environment or restricting network exposure.

Generated by OpenCVE AI on May 14, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp5q-5q7g-q26r Ludwig framework is vulnerable to insecure deserialization in its model serving component
History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in Ludwig Model Serving Enables Arbitrary Code Execution

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ludwig-ai
Ludwig-ai ludwig
Vendors & Products Ludwig-ai
Ludwig-ai ludwig

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in Ludwig Model Serving Enables Arbitrary Code Execution
Weaknesses CWE-502

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted PyTorch model file, leading to arbitrary code execution on the system hosting the Ludwig model server.
References

Subscriptions

Ludwig-ai Ludwig
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T19:54:20.630Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31238

cve-icon Vulnrichment

Updated: 2026-05-14T16:55:17.956Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:16:52.210

Modified: 2026-05-14T20:17:03.430

Link: CVE-2026-31238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:45:31Z

Weaknesses