CVE-2026-31229 — AWAITING NVD AI Security Vulnerability

CISO Take

The Adversarial Robustness Toolbox (ART) through v1.20.1 contains an unsafe deserialization flaw in its Kubeflow component: model weights are loaded via torch.load() without the weights_only=True safety flag, allowing arbitrary Python objects to execute through the Pickle module at load time. Any Kubeflow-based ML pipeline using ART for robustness evaluation is exposed — an attacker who can write a malicious .pt file to the referenced object storage bucket, or influence the model_id parameter, achieves remote code execution inside the pipeline worker pod. No CVSS is assigned yet and the CVE has no KEV entry, but Pickle-based RCE is a well-understood, trivially weaponizable primitive once the file-write path exists. Upgrade ART to a patched release as soon as available, restrict object-storage write ACLs to validated CI/CD pipelines, and scan model files with fickling before loading as an interim control.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

Effective severity is HIGH despite the absence of a formal CVSS score. Pickle deserialization RCE has a long track record of reliable exploitation with off-the-shelf tooling (fickling, custom payloads). The attack surface is any pipeline that loads model files via ART's Kubeflow component, and in cloud ML environments object storage is frequently over-permissioned. Blast radius extends to the full Kubeflow cluster if the pipeline service account holds broad IAM permissions, making this a potential multi-tenant compromise vector.

Attack Kill Chain

Initial Access

Attacker writes a maliciously crafted .pt file containing a Pickle payload to the object storage bucket referenced by the ART Kubeflow pipeline, or redirects the model_id parameter to an attacker-controlled location.

AML.T0010.003

Artifact Staging

Attacker crafts the .pt file to embed a Pickle-serialized Python object (e.g., a reverse shell or credential harvester) that executes transparently when deserialized by torch.load().

AML.T0018.002

Exploitation

ART's Kubeflow component calls torch.load() on the malicious file without weights_only=True, triggering arbitrary Python code execution inside the Kubeflow pipeline worker pod.

AML.T0011.000

Impact

Malicious payload executes with the pod's identity, enabling credential theft from environment variables, lateral movement via the Kubernetes service account token, and persistent access to the ML platform.

AML.T0112.001

Initial Access

Attacker writes a maliciously crafted .pt file containing a Pickle payload to the object storage bucket referenced by the ART Kubeflow pipeline, or redirects the model_id parameter to an attacker-controlled location.

AML.T0010.003

Artifact Staging

Attacker crafts the .pt file to embed a Pickle-serialized Python object (e.g., a reverse shell or credential harvester) that executes transparently when deserialized by torch.load().

AML.T0018.002

Exploitation

ART's Kubeflow component calls torch.load() on the malicious file without weights_only=True, triggering arbitrary Python code execution inside the Kubeflow pipeline worker pod.

AML.T0011.000

Impact

Malicious payload executes with the pod's identity, enabling credential theft from environment variables, lateral movement via the Kubernetes service account token, and persistent access to the ML platform.

AML.T0112.001

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

6 steps

Monitor Trusted-AI/adversarial-robustness-toolbox on GitHub and upgrade to the patched version when released.
Immediately restrict write permissions on the object storage bucket used for model artifacts to only validated, signed CI/CD pipeline identities.
Validate model file integrity via cryptographic hash (SHA-256) before ingestion and reject files from unverified sources.
Scan .pt/.pth files with fickling (pip install fickling) prior to loading; block any file containing non-safe opcodes.
In your own PyTorch code, enforce torch.load(..., weights_only=True) and audit all dependencies for the same pattern.
Apply Kubernetes RBAC to limit pipeline service account permissions to the minimum required namespace.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0112.001 - AI Artifacts

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system supply chain security

NIST AI RMF

MANAGE-2.4 - Mechanisms to detect and respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2026-31229?

The Adversarial Robustness Toolbox (ART) through v1.20.1 contains an unsafe deserialization flaw in its Kubeflow component: model weights are loaded via torch.load() without the weights_only=True safety flag, allowing arbitrary Python objects to execute through the Pickle module at load time. Any Kubeflow-based ML pipeline using ART for robustness evaluation is exposed — an attacker who can write a malicious .pt file to the referenced object storage bucket, or influence the model_id parameter, achieves remote code execution inside the pipeline worker pod. No CVSS is assigned yet and the CVE has no KEV entry, but Pickle-based RCE is a well-understood, trivially weaponizable primitive once the file-write path exists. Upgrade ART to a patched release as soon as available, restrict object-storage write ACLs to validated CI/CD pipelines, and scan model files with fickling before loading as an interim control.

Is CVE-2026-31229 actively exploited?

No confirmed active exploitation of CVE-2026-31229 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31229?

1. Monitor Trusted-AI/adversarial-robustness-toolbox on GitHub and upgrade to the patched version when released. 2. Immediately restrict write permissions on the object storage bucket used for model artifacts to only validated, signed CI/CD pipeline identities. 3. Validate model file integrity via cryptographic hash (SHA-256) before ingestion and reject files from unverified sources. 4. Scan .pt/.pth files with fickling (pip install fickling) prior to loading; block any file containing non-safe opcodes. 5. In your own PyTorch code, enforce torch.load(..., weights_only=True) and audit all dependencies for the same pattern. 6. Apply Kubernetes RBAC to limit pipeline service account permissions to the minimum required namespace.

What systems are affected by CVE-2026-31229?

This vulnerability affects the following AI/ML architecture patterns: Kubeflow ML pipelines, MLOps training infrastructure, ML robustness evaluation pipelines, Cloud object storage-backed model loading.

What is the CVSS score for CVE-2026-31229?

No CVSS score has been assigned yet.

Technical Details

NVD Description

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.

Exploitation Scenario

An adversary with write access to the S3 bucket used as model storage — obtained via a compromised cloud credential, misconfigured bucket policy, or supply chain access — crafts a malicious .pt file using fickling that embeds a reverse shell payload. They upload the file to the bucket path expected by the ART Kubeflow pipeline (or manipulate the model_id parameter to reference an attacker-controlled URL). When the Kubeflow pipeline next executes robustness evaluation, ART calls torch.load() on the file without restrictions, triggering immediate code execution inside the worker pod. The attacker uses the pod's Kubernetes service account token to query the API server, enumerate other workloads, and exfiltrate model weights or training data from adjacent pipeline steps.