CVE-2026-56315: picklescan stdlib bypass enables

Q: Is CVE-2026-56315 actively exploited?

No confirmed active exploitation of CVE-2026-56315 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-56315?

1. Upgrade picklescan to 1.0.4 immediately — this release explicitly adds the unblocked stdlib modules to the blocklist. 2. Re-scan all pickle files previously validated with versions < 1.0.4; do not treat prior clean results as trustworthy. 3. Implement defense-in-depth: migrate model storage to safetensors format where possible (no arbitrary code execution on load); use sandboxed Python environments (RestrictedPython, nsjail, gVisor) for deserialization; apply strict filesystem and network egress restrictions on model-loading workers. 4. Monitor for unexpected outbound network connections from model serving or training hosts, which may indicate a triggered reverse shell payload from a previously validated file. 5. Enforce model provenance: restrict ingestion to signed, checksummed artifacts from trusted sources and apply cryptographic verification independent of format scanning.

Q: What systems are affected by CVE-2026-56315?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registries, model serving, CI/CD model validation pipelines, AI supply chain.

Q: What is the CVSS score for CVE-2026-56315?

CVE-2026-56315 has a CVSS v3.1 base score of 9.8 (CRITICAL).

CISO Take

picklescan, a widely-deployed security tool for detecting malicious pickle files in ML/AI pipelines, contains a critical validation bypass in versions before 1.0.4 — it fails to block at least seven Python standard library modules (uuid, imaplib, _pyrepl.pager, _osx_support, _aix_support, and others) that collectively expose eight functions capable of arbitrary OS command execution. Organizations using picklescan to gate model ingestion have a dangerous false sense of security: a crafted pickle file importing any of these unblocked modules passes the scanner clean while delivering a full RCE payload, making all prior scan results untrustworthy. With a CVSS of 9.8, no privileges or user interaction required, and a public advisory now naming the exact bypass modules, weaponized exploit development is trivial and fast. Patch to picklescan 1.0.4 immediately, re-scan all previously validated pickle files, and layer in sandboxed deserialization or migration to safetensors as defense-in-depth.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical. This vulnerability uniquely targets an AI security control rather than a standard application component — exploiting it silently invalidates a layer of defense organizations rely on for model supply chain security. No privileges or user interaction are required, and the attack surface includes any pipeline where pickle-format models are ingested and validated with picklescan. Post-advisory, exploitation complexity drops to near-trivial: the specific unblocked module names are now public knowledge. Any organization treating picklescan scan results as a security gate for pickle-format models (PyTorch .pt/.pth, scikit-learn .pkl, XGBoost, etc.) must treat their entire previously-scanned model inventory as untrusted until re-validated with version 1.0.4.

How does the attack unfold?

Craft Malicious Artifact

Adversary creates a pickle file that imports unblocked Python stdlib modules (e.g., imaplib, uuid) to route around picklescan's blocklist and embed arbitrary OS command execution via exposed module functions.

AML.T0011.000

Defense Evasion via Scanner Bypass

Malicious pickle file is submitted to the target's model ingestion pipeline; picklescan < 1.0.4 scans the file, finds no explicitly blocked imports, and returns a clean result — invalidating the primary security gate.

AML.T0107

Execution via Deserialization

The falsely-validated file is promoted to a model registry or inference environment; when the worker deserializes the pickle, embedded payload executes arbitrary OS commands with the process's privileges.

AML.T0050

Post-Exploitation

Attacker establishes a reverse shell from the model serving host, gaining persistent access to GPU infrastructure, API secrets, inference endpoints, and internal network resources.

AML.T0072

Craft Malicious Artifact

Adversary creates a pickle file that imports unblocked Python stdlib modules (e.g., imaplib, uuid) to route around picklescan's blocklist and embed arbitrary OS command execution via exposed module functions.

AML.T0011.000

Defense Evasion via Scanner Bypass

Malicious pickle file is submitted to the target's model ingestion pipeline; picklescan < 1.0.4 scans the file, finds no explicitly blocked imports, and returns a clean result — invalidating the primary security gate.

AML.T0107

Execution via Deserialization

The falsely-validated file is promoted to a model registry or inference environment; when the worker deserializes the pickle, embedded payload executes arbitrary OS commands with the process's privileges.

AML.T0050

Post-Exploitation

Attacker establishes a reverse shell from the model serving host, gaining persistent access to GPU infrastructure, API secrets, inference endpoints, and internal network resources.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade picklescan to 1.0.4 immediately — this release explicitly adds the unblocked stdlib modules to the blocklist.
Re-scan all pickle files previously validated with versions < 1.0.4; do not treat prior clean results as trustworthy.
Implement defense-in-depth: migrate model storage to safetensors format where possible (no arbitrary code execution on load); use sandboxed Python environments (RestrictedPython, nsjail, gVisor) for deserialization; apply strict filesystem and network egress restrictions on model-loading workers.
Monitor for unexpected outbound network connections from model serving or training hosts, which may indicate a triggered reverse shell payload from a previously validated file.
Enforce model provenance: restrict ingestion to signed, checksummed artifacts from trusted sources and apply cryptographic verification independent of format scanning.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0072 - Reverse Shell AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system and component security

NIST AI RMF

MANAGE 2.2 - Responses to the AI risks deemed high priority

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-56315?

picklescan, a widely-deployed security tool for detecting malicious pickle files in ML/AI pipelines, contains a critical validation bypass in versions before 1.0.4 — it fails to block at least seven Python standard library modules (uuid, imaplib, _pyrepl.pager, _osx_support, _aix_support, and others) that collectively expose eight functions capable of arbitrary OS command execution. Organizations using picklescan to gate model ingestion have a dangerous false sense of security: a crafted pickle file importing any of these unblocked modules passes the scanner clean while delivering a full RCE payload, making all prior scan results untrustworthy. With a CVSS of 9.8, no privileges or user interaction required, and a public advisory now naming the exact bypass modules, weaponized exploit development is trivial and fast. Patch to picklescan 1.0.4 immediately, re-scan all previously validated pickle files, and layer in sandboxed deserialization or migration to safetensors as defense-in-depth.

Is CVE-2026-56315 actively exploited?

No confirmed active exploitation of CVE-2026-56315 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56315?

1. Upgrade picklescan to 1.0.4 immediately — this release explicitly adds the unblocked stdlib modules to the blocklist. 2. Re-scan all pickle files previously validated with versions < 1.0.4; do not treat prior clean results as trustworthy. 3. Implement defense-in-depth: migrate model storage to safetensors format where possible (no arbitrary code execution on load); use sandboxed Python environments (RestrictedPython, nsjail, gVisor) for deserialization; apply strict filesystem and network egress restrictions on model-loading workers. 4. Monitor for unexpected outbound network connections from model serving or training hosts, which may indicate a triggered reverse shell payload from a previously validated file. 5. Enforce model provenance: restrict ingestion to signed, checksummed artifacts from trusted sources and apply cryptographic verification independent of format scanning.

What systems are affected by CVE-2026-56315?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registries, model serving, CI/CD model validation pipelines, AI supply chain.

What is the CVSS score for CVE-2026-56315?

CVE-2026-56315 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel registriesmodel servingCI/CD model validation pipelinesAI supply chain

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0072 Reverse Shell

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

Exploitation Scenario

An adversary targets an organization with an automated ML model ingestion pipeline protected by picklescan. They craft a malicious pickle file that uses `import imaplib` as an entry point — a stdlib module not blocked by picklescan < 1.0.4 — and chains through its exposed functions to spawn an OS subprocess executing a reverse shell callback. The adversary publishes the file to a public model hub (Hugging Face, GitHub, S3 bucket) or submits it via a model contribution workflow. The victim's CI/CD pipeline runs picklescan, receives a clean scan result, and auto-promotes the model to a staging or production inference server. When the server loads the model for the first time, the pickle deserializer triggers the payload, establishing an attacker-controlled shell inside the model serving environment with access to GPU infrastructure, API keys, inference secrets, and internal network resources.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.