Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-22171 | OpenClaw: path traversal allows arbitrary file write | OpenClaw | 8.2 |
| MEDIUM | CVE-2026-22217 | OpenClaw: $SHELL env hijack enables arbitrary code execution | OpenClaw | 6.1 |
| CRITICAL | CVE-2026-26210 | KTransformers: pickle RCE via unauthenticated ZMQ socket | ktransformers | 9.8 |
| MEDIUM | CVE-2026-27183 | OpenClaw: shell allowlist bypass via dispatch wrapper depth | OpenClaw | 5.3 |
| HIGH | CVE-2026-27566 | OpenClaw: allowlist bypass enables arbitrary OS command exec | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-27646 | OpenClaw: sandbox escape via /acp spawn command | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27524 | OpenClaw: prototype pollution bypasses command gate | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-27545 | OpenClaw: symlink race bypasses agent run approval | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27523 | OpenClaw: sandbox path traversal bypasses bind isolation | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27670 | OpenClaw: TOCTOU race enables arbitrary file write in agents | OpenClaw | 5.3 |
| HIGH | CVE-2026-28460 | OpenClaw: allowlist bypass enables OS command execution | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31990 | OpenClaw: symlink traversal enables arbitrary file write | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-29607 | OpenClaw: auth bypass enables unapproved RCE via wrapper | OpenClaw | 6.8 |
| MEDIUM | CVE-2026-29608 | OpenClaw: argv rewrite bypasses approval, enables RCE | OpenClaw | 6.7 |
| HIGH | CVE-2026-31992 | OpenClaw: guardrail allowlist bypass enables arbitrary command execution | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31995 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 5.3 |
| HIGH | CVE-2026-32000 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31993 | OpenClaw: exec approval bypass allows RCE on macOS | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-31997 | OpenClaw: post-approval PATH rebind enables arbitrary RCE | OpenClaw | 6.0 |
| HIGH | CVE-2026-31998 | OpenClaw: auth bypass enables unauthorized agent dispatch | OpenClaw | 8.6 |