CVE-2026-50195: Anthropic Python checkpoint import

Q: Is CVE-2026-50195 actively exploited?

No confirmed active exploitation of CVE-2026-50195 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-50195?

1. Patch: Upgrade containerd to 2.3.2, 2.2.5, or 2.1.9. 2. Interim control: Set 'imagePullPolicy: Always' on all production AI serving and training pods — forces a registry pull on every start, bypassing any locally cached poisoned image. 3. RBAC: Audit and restrict pod creation permissions; restrict checkpoint import capabilities via admission controllers (OPA/Gatekeeper, Kyverno) to block crafted checkpoint images from untrusted principals. 4. Node inspection: Run 'ctr images list' on all affected nodes to audit local image cache for unexpected or unrecognized tags, especially those matching production image names. 5. Monitoring: Alert on pod creation events referencing checkpoint annotations from untrusted namespaces or unfamiliar registries. 6. Network policy: Restrict pod egress to known endpoints to limit exfiltration from any containers that may already be compromised.

Q: What systems are affected by CVE-2026-50195?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps platforms, multi-tenant AI clusters, container-based AI deployments.

Q: What is the CVSS score for CVE-2026-50195?

No CVSS score has been assigned yet.

CISO Take

containerd's CRI checkpoint import process accepts arbitrary image references without validation, allowing any attacker with pod creation permissions to assign a malicious image an arbitrary local tag and poison the node's image cache. With 5,435 downstream dependents and near-universal adoption in Kubernetes-based AI/ML infrastructure — LLM serving clusters, training pipelines, and MLOps platforms alike — a single compromised developer account is sufficient to silently redirect legitimate AI workloads to attacker-controlled code on every affected node. The attack exploits the widely deployed 'IfNotPresent' pull policy: once the cache is poisoned, victim pods execute the malicious image under their own service account identity, giving the attacker access to model weights, API keys embedded in env vars, and GPU resources without triggering any external image pull or registry alert. Update containerd to 2.3.2, 2.2.5, or 2.1.9 immediately and set 'imagePullPolicy: Always' on all sensitive AI workloads as an interim bypass control.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

MEDIUM per CVSS baseline but practically HIGH for AI/ML environments sharing Kubernetes clusters. Exploitation requires pod creation permissions — a routine grant in multi-tenant GPU clusters — and no novel technical skill beyond understanding checkpoint API semantics. The per-node blast radius is broad: all pods using a poisoned tag with 'IfNotPresent' or 'Never' pull policy are affected silently and retroactively. In AI contexts, victim pod identities typically carry cloud provider credentials, HuggingFace/model registry tokens, and inference API keys, making privilege escalation and lateral movement straightforward after initial execution. No public exploit or CISA KEV listing as of publication, but the conceptual exploit is simple to reproduce for any attacker familiar with containerd internals.

How does the attack unfold?

Initial Access

Attacker uses valid pod creation permissions to submit a crafted checkpoint image whose configuration embeds references to a malicious image on an attacker-controlled registry.

AML.T0012

Cache Poisoning

containerd imports the checkpoint without validating image references, silently pulling the malicious image and assigning it an arbitrary local tag that matches a legitimate production image name.

AML.T0010.004

Masquerade

The poisoned tag is now indistinguishable from the legitimate image in the node's local cache, intercepting all pods on that node using IfNotPresent or Never pull policy.

AML.T0074

Code Execution & Exfiltration

Victim AI workload pods execute the attacker's image under their service account identity, enabling credential theft, model weight exfiltration, and lateral movement across the cluster.

AML.T0010

Initial Access

Attacker uses valid pod creation permissions to submit a crafted checkpoint image whose configuration embeds references to a malicious image on an attacker-controlled registry.

AML.T0012

Cache Poisoning

containerd imports the checkpoint without validating image references, silently pulling the malicious image and assigning it an arbitrary local tag that matches a legitimate production image name.

AML.T0010.004

Masquerade

The poisoned tag is now indistinguishable from the legitimate image in the node's local cache, intercepting all pods on that node using IfNotPresent or Never pull policy.

AML.T0074

Code Execution & Exfiltration

Victim AI workload pods execute the attacker's image under their service account identity, enabling credential theft, model weight exfiltration, and lateral movement across the cluster.

AML.T0010

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	go	>= 2.1.0, < 2.1.9	`2.1.9`
3.6K 5.4K dependents Pushed 9d ago 94% patched ~1d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch: Upgrade containerd to 2.3.2, 2.2.5, or 2.1.9.
Interim control: Set 'imagePullPolicy: Always' on all production AI serving and training pods — forces a registry pull on every start, bypassing any locally cached poisoned image.
RBAC

Audit and restrict pod creation permissions; restrict checkpoint import capabilities via admission controllers (OPA/Gatekeeper, Kyverno) to block crafted checkpoint images from untrusted principals.
Node inspection: Run 'ctr images list' on all affected nodes to audit local image cache for unexpected or unrecognized tags, especially those matching production image names.
Monitoring: Alert on pod creation events referencing checkpoint annotations from untrusted namespaces or unfamiliar registries.
Network policy: Restrict pod egress to known endpoints to limit exfiltration from any containers that may already be compromised.

How is it classified?

Supply Chain Code Execution Inference Framework AML.T0010 - AI Supply Chain Compromise AML.T0010.004 - Container Registry AML.T0012 - Valid Accounts AML.T0074 - Masquerading

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-50195?

containerd's CRI checkpoint import process accepts arbitrary image references without validation, allowing any attacker with pod creation permissions to assign a malicious image an arbitrary local tag and poison the node's image cache. With 5,435 downstream dependents and near-universal adoption in Kubernetes-based AI/ML infrastructure — LLM serving clusters, training pipelines, and MLOps platforms alike — a single compromised developer account is sufficient to silently redirect legitimate AI workloads to attacker-controlled code on every affected node. The attack exploits the widely deployed 'IfNotPresent' pull policy: once the cache is poisoned, victim pods execute the malicious image under their own service account identity, giving the attacker access to model weights, API keys embedded in env vars, and GPU resources without triggering any external image pull or registry alert. Update containerd to 2.3.2, 2.2.5, or 2.1.9 immediately and set 'imagePullPolicy: Always' on all sensitive AI workloads as an interim bypass control.

Is CVE-2026-50195 actively exploited?

No confirmed active exploitation of CVE-2026-50195 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50195?

1. Patch: Upgrade containerd to 2.3.2, 2.2.5, or 2.1.9. 2. Interim control: Set 'imagePullPolicy: Always' on all production AI serving and training pods — forces a registry pull on every start, bypassing any locally cached poisoned image. 3. RBAC: Audit and restrict pod creation permissions; restrict checkpoint import capabilities via admission controllers (OPA/Gatekeeper, Kyverno) to block crafted checkpoint images from untrusted principals. 4. Node inspection: Run 'ctr images list' on all affected nodes to audit local image cache for unexpected or unrecognized tags, especially those matching production image names. 5. Monitoring: Alert on pod creation events referencing checkpoint annotations from untrusted namespaces or unfamiliar registries. 6. Network policy: Restrict pod egress to known endpoints to limit exfiltration from any containers that may already be compromised.

What systems are affected by CVE-2026-50195?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps platforms, multi-tenant AI clusters, container-based AI deployments.

What is the CVSS score for CVE-2026-50195?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps platformsmulti-tenant AI clusterscontainer-based AI deployments

MITRE ATLAS Techniques

AML.T0010 AI Supply Chain Compromise

AML.T0010.004 Container Registry

AML.T0012 Valid Accounts

AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an `IfNotPresent` (or `Never`) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. ## Patches This bug has been fixed in the following containerd versions: * 2.3.2 * 2.2.5 * 2.1.9 Users should update to these versions to resolve the issue. ## Workarounds Users should only allow trusted images to be pulled. ## Credits The containerd project would like to thank Henry Beberman (@hbeberman) of Microsoft, the GKE Security Team using Gemini, Anthropic Research, in collaboration with Claude, and Robert Prast (@robertprast) who independently discovered and responsibly disclosed this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ## For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io)

Exploitation Scenario

An attacker compromises a developer account with pod creation rights in a shared GPU cluster running LLM inference services. They build a checkpoint image whose embedded configuration references a malicious image hosted at an attacker-controlled registry spoofing 'pytorch/pytorch:2.3.0'. When the attacker creates a pod using this checkpoint, containerd imports it without validating the image reference — it pulls the malicious image and locally tags it 'pytorch:2.3.0' on the node. An hour later, when a vLLM serving pod is rescheduled to the same node with 'imagePullPolicy: IfNotPresent', Kubernetes skips the registry pull and executes the attacker's image instead. The malicious container starts alongside legitimate inference traffic, harvests HUGGING_FACE_HUB_TOKEN and cloud credentials from environment variables, and establishes a reverse shell — all under the vLLM service account's RBAC identity.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.