CVE-2026-31229 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 13, 2026
Adversarial Robustness Toolbox - Remote Code Execution
Published: May 12, 2026Updated: May 13, 2026Remote Exploitable
Overview
Adversarial Robustness Toolbox (ART) <= 1.20.1 contains an insecure deserialization vulnerability caused by unsafe use of torch.load() without weights_only=True in Kubeflow model loading, letting attackers execute arbitrary code remotely by supplying malicious model files.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can execute arbitrary code remotely by loading malicious model files, potentially leading to full system compromise.
Mitigation
Update to the latest version of Adversarial Robustness Toolbox (ART) that enforces secure deserialization.
References
Related Resources
Details
- CVE ID
- CVE-2026-31229
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- rejected
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H