CVE-2026-56304: picklescan FileHandler bypass

CISO Take

picklescan before 1.0.1 contains an ironic flaw: the tool designed to block malicious pickle payloads can itself be exploited via a crafted pickle that instantiates Python's logging.FileHandler class to bypass its RCE blocklist and create arbitrary zero-byte files on the scanner host. While the immediate impact is limited to filesystem artifact creation rather than full code execution, this finding fundamentally undermines the security guarantee picklescan provides — any ML pipeline relying on it as a security gate should treat scanned models as potentially untrusted until the tool is patched. No public exploits exist and this is not in CISA KEV, keeping real-world risk relatively contained for now, but the demonstrated blocklist bypass suggests the attack surface for more severe variants warrants close attention. Upgrade to picklescan 1.0.1 immediately and consider adding safetensors-based model distribution as a defense-in-depth measure.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk overall, but elevated concern within AI/ML security programs. CVSS 6.5 reflects network-accessible, zero-authentication exploitation with low integrity and availability impact. The more significant risk is the demonstrated bypass of picklescan's core RCE prevention logic — if FileHandler instantiation evades the blocklist, other non-flagged Python classes may enable more severe impacts. Organizations using picklescan as a trusted security control should treat this as a control failure, not just a software bug, and audit their model validation pipeline assumptions accordingly.

How does the attack unfold?

Craft Payload

Attacker constructs a pickle file that instantiates logging.FileHandler targeting a sensitive filesystem path, exploiting the fact that this standard library class is absent from picklescan's RCE blocklist.

AML.T0011.000

Submit to Scanner

The crafted pickle is submitted to a pipeline or model registry running picklescan — via model upload, contribution workflow, or any intake path where untrusted pickles are evaluated.

AML.T0049

Bypass Defense

picklescan evaluates the payload, fails to flag logging.FileHandler as prohibited, and the deserialization executes during scanning — creating attacker-specified zero-byte files on the scanner host.

AML.T0107

Impact

Created lock files or sentinel files disrupt downstream pipeline processes (CI/CD jobs, orchestrators, model servers), causing denial of service or silently granting the scanned model a false 'clean' status for downstream consumers.

AML.T0029

Craft Payload

Attacker constructs a pickle file that instantiates logging.FileHandler targeting a sensitive filesystem path, exploiting the fact that this standard library class is absent from picklescan's RCE blocklist.

AML.T0011.000

Submit to Scanner

The crafted pickle is submitted to a pipeline or model registry running picklescan — via model upload, contribution workflow, or any intake path where untrusted pickles are evaluated.

AML.T0049

Bypass Defense

picklescan evaluates the payload, fails to flag logging.FileHandler as prohibited, and the deserialization executes during scanning — creating attacker-specified zero-byte files on the scanner host.

AML.T0107

Impact

Created lock files or sentinel files disrupt downstream pipeline processes (CI/CD jobs, orchestrators, model servers), causing denial of service or silently granting the scanned model a false 'clean' status for downstream consumers.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
412 3 dependents Pushed 1mo ago 81% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A Low

What should I do?

6 steps

Upgrade picklescan to version 1.0.1 or later immediately — this is the only complete fix.
If patching is delayed, add mandatory manual review of all models flagged as 'safe' by picklescan before loading.
Migrate model serialization to safetensors format where feasible, eliminating pickle deserialization risk entirely.
Run picklescan in a sandboxed, read-only filesystem environment so that file creation side effects cannot affect pipeline infrastructure.
Monitor for unexpected file creation events in directories accessible by the scanning process.
Review whether any other pickle-scanning tooling in your stack shares similar class-allowlist/blocklist logic.

How is it classified?

Supply Chain DoS Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.5 - AI system security controls

NIST AI RMF

MANAGE-2.2 - Treatments and mitigations for identified AI risks MAP-5.1 - Likelihood of AI risks

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-56304?

picklescan before 1.0.1 contains an ironic flaw: the tool designed to block malicious pickle payloads can itself be exploited via a crafted pickle that instantiates Python's logging.FileHandler class to bypass its RCE blocklist and create arbitrary zero-byte files on the scanner host. While the immediate impact is limited to filesystem artifact creation rather than full code execution, this finding fundamentally undermines the security guarantee picklescan provides — any ML pipeline relying on it as a security gate should treat scanned models as potentially untrusted until the tool is patched. No public exploits exist and this is not in CISA KEV, keeping real-world risk relatively contained for now, but the demonstrated blocklist bypass suggests the attack surface for more severe variants warrants close attention. Upgrade to picklescan 1.0.1 immediately and consider adding safetensors-based model distribution as a defense-in-depth measure.

Is CVE-2026-56304 actively exploited?

No confirmed active exploitation of CVE-2026-56304 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56304?

1. Upgrade picklescan to version 1.0.1 or later immediately — this is the only complete fix. 2. If patching is delayed, add mandatory manual review of all models flagged as 'safe' by picklescan before loading. 3. Migrate model serialization to safetensors format where feasible, eliminating pickle deserialization risk entirely. 4. Run picklescan in a sandboxed, read-only filesystem environment so that file creation side effects cannot affect pipeline infrastructure. 5. Monitor for unexpected file creation events in directories accessible by the scanning process. 6. Review whether any other pickle-scanning tooling in your stack shares similar class-allowlist/blocklist logic.

What systems are affected by CVE-2026-56304?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, CI/CD model validation pipelines, agent frameworks.

What is the CVSS score for CVE-2026-56304?

CVE-2026-56304 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingCI/CD model validation pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1.5

NIST AI RMF: MANAGE-2.2, MAP-5.1

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.

Exploitation Scenario

An adversary targeting an ML platform that gates model ingestion behind picklescan uploads a pickle file to a shared model registry or submits it via a model contribution workflow. The pickle payload is crafted to instantiate logging.FileHandler targeting a path such as /tmp/pipeline.lock or a sentinel file that signals pipeline readiness. picklescan processes the payload, fails to flag FileHandler as a prohibited class, marks the file as clean, and the instantiation executes during scanning — creating the zero-byte file. Downstream pipeline jobs that check for the absence of lock files, or that depend on clean sentinel state, are disrupted. In environments where the scanner runs as a privileged user, more sensitive paths (cron lock files, deployment flags) become targets for cascading availability impact.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.