AnomalyMatch: RCE via torch.load() unsafe deserialization — HIGH (CVE-2026-38950)

CISO Take

ESA AnomalyMatch before version 1.3.1 exposes a remote code execution vulnerability rooted in the use of Python's pickle-based torch.load() without the safe weights_only=True constraint, allowing any attacker who can write a crafted checkpoint file to the session directory to achieve arbitrary code execution on the host. Although no CVSS score has been assigned and no public exploit exists yet, the torch.load() pickle deserialization attack class is extensively documented — tooling to craft malicious checkpoints is publicly available, requiring only file-write access to weaponize. Teams running AnomalyMatch in anomaly detection pipelines — particularly in aerospace, industrial, or OT environments where this ESA tool sees real use — should upgrade to version 1.3.1 immediately; as an interim measure, restrict write access to session directories and audit all existing checkpoint files with picklescan or fickling before the next load cycle.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High for organizations using AnomalyMatch in production AI/ML pipelines. The underlying torch.load() pickle deserialization vector is a well-understood, reliably exploitable attack class with publicly available weaponization tooling. Exploitability hinges on achieving write access to the session directory, which is the primary constraint — but misconfigured shared storage, adjacent system compromise, or SSRF vulnerabilities in data ingestion pipelines all provide viable paths. ML worker processes frequently run with elevated privileges or broad network access, amplifying post-exploitation impact significantly.

Attack Kill Chain

Initial Access

Attacker gains write access to the AnomalyMatch session directory via misconfigured file permissions, a compromised upstream pipeline component, or SSRF in a data ingestion service.

AML.T0049

Weaponization

Attacker crafts a malicious .pt model checkpoint file containing a Python pickle payload using publicly available tooling, designed to execute arbitrary OS commands upon deserialization.

AML.T0011.000

Execution

AnomalyMatch calls torch.load() on the malicious checkpoint during session initialization, triggering deserialization and executing the embedded pickle payload.

AML.T0018.002

Impact

Attacker achieves arbitrary code execution with ML worker process privileges, enabling reverse shell establishment, credential theft, data exfiltration, or lateral movement into connected infrastructure.

AML.T0072

Initial Access

Attacker gains write access to the AnomalyMatch session directory via misconfigured file permissions, a compromised upstream pipeline component, or SSRF in a data ingestion service.

AML.T0049

Weaponization

Attacker crafts a malicious .pt model checkpoint file containing a Python pickle payload using publicly available tooling, designed to execute arbitrary OS commands upon deserialization.

AML.T0011.000

Execution

AnomalyMatch calls torch.load() on the malicious checkpoint during session initialization, triggering deserialization and executing the embedded pickle payload.

AML.T0018.002

Impact

Attacker achieves arbitrary code execution with ML worker process privileges, enabling reverse shell establishment, credential theft, data exfiltration, or lateral movement into connected infrastructure.

AML.T0072

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade ESA AnomalyMatch to version 1.3.1 (fix available in PR #9 on GitHub).
Until patched, replace any torch.load() calls in custom code or forks with torch.load(path, weights_only=True) to enforce safe deserialization.
Restrict write access to session directories to trusted, minimal process accounts using filesystem ACLs.
Audit existing checkpoint files with picklescan or fickling to detect embedded malicious payloads before they are loaded.
Implement integrity verification — hash checks or cryptographic signing — for all model checkpoint files before loading.
Monitor for unexpected child process spawning from ML worker processes as a behavioral detection signal.

Classification

Code Execution Supply Chain Model Framework AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Manage AI Risks

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2026-38950?

ESA AnomalyMatch before version 1.3.1 exposes a remote code execution vulnerability rooted in the use of Python's pickle-based torch.load() without the safe weights_only=True constraint, allowing any attacker who can write a crafted checkpoint file to the session directory to achieve arbitrary code execution on the host. Although no CVSS score has been assigned and no public exploit exists yet, the torch.load() pickle deserialization attack class is extensively documented — tooling to craft malicious checkpoints is publicly available, requiring only file-write access to weaponize. Teams running AnomalyMatch in anomaly detection pipelines — particularly in aerospace, industrial, or OT environments where this ESA tool sees real use — should upgrade to version 1.3.1 immediately; as an interim measure, restrict write access to session directories and audit all existing checkpoint files with picklescan or fickling before the next load cycle.

Is CVE-2026-38950 actively exploited?

No confirmed active exploitation of CVE-2026-38950 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-38950?

1. Upgrade ESA AnomalyMatch to version 1.3.1 (fix available in PR #9 on GitHub). 2. Until patched, replace any torch.load() calls in custom code or forks with torch.load(path, weights_only=True) to enforce safe deserialization. 3. Restrict write access to session directories to trusted, minimal process accounts using filesystem ACLs. 4. Audit existing checkpoint files with picklescan or fickling to detect embedded malicious payloads before they are loaded. 5. Implement integrity verification — hash checks or cryptographic signing — for all model checkpoint files before loading. 6. Monitor for unexpected child process spawning from ML worker processes as a behavioral detection signal.

What systems are affected by CVE-2026-38950?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, anomaly detection systems, MLOps pipelines.

What is the CVSS score for CVE-2026-38950?

CVE-2026-38950 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.05%.

AI Security Impact

Affected AI Architectures

training pipelinesmodel servinganomaly detection systemsMLOps pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

Technical Details

Original Advisory

An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.

Exploitation Scenario

An attacker who gains write access to the AnomalyMatch session directory — through a misconfigured NFS share, a compromised upstream data pipeline component, or an SSRF vulnerability in a web-facing data ingestion service — plants a crafted .pt file embedding a malicious Python pickle payload (trivially generated with existing open-source tools). When AnomalyMatch resumes or initializes a session and calls torch.load() on the checkpoint, the pickle payload executes in the process context, spawning a reverse shell or installing a persistent backdoor with the ML worker's OS privileges, potentially enabling lateral movement into broader data infrastructure or model registries.