Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-31224 | snorkel: RCE via unsafe model deserialization | snorkel | 8.8 |
| CRITICAL | CVE-2026-31238 | Ludwig: RCE via unsafe pickle deserialization in model serve | ludwig | 9.8 |
| CRITICAL | CVE-2026-31239 | mamba: RCE via unsafe torch.load() on model load | mamba-ssm | 9.8 |
| CRITICAL | CVE-2026-31229 | ART: torch.load() RCE via insecure deserialization | 9.8 | |
| HIGH | CVE-2026-31232 | CosyVoice: RCE via unsafe torch.load() model deserialization | 8.8 | |
| HIGH | CVE-2026-45134 | LangSmith: prompt deserialization enables SSRF + data leak | langchain | 7.1 |
| HIGH | CVE-2026-45136 | claude-code-cache-fix: hook path injection → RCE | claude-code-cache-fix | - |
| CRITICAL | CVE-2026-44792 | n8n: SQL injection via poisoned Source Control git repo | n8n | 9.0 |
| CRITICAL | CVE-2026-44789 | n8n: prototype pollution in HTTP node enables RCE | n8n | 9.9 |
| HIGH | CVE-2026-8597 | SageMaker: RCE via poisoned Triton model artifacts in S3 | sagemaker | 7.2 |
| HIGH | CVE-2026-45539 | Microsoft APM: symlink attack leaks host files in agent deps | apm | 7.4 |
| CRITICAL | CVE-2026-45829 | ChromaDB: pre-auth RCE via trust_remote_code injection | chromadb | 10.0 |
| CRITICAL | GHSA-wx9m-wx4f-4cmg | mistralai 2.4.6: supply chain dropper executes on import | mistralai | 9.6 |
| LOW | GHSA-jgg6-4rpr-wfh7 | Mistral npm SDK: supply chain attack, no impact | @mistralai/mistralai-azure | - |
| HIGH | CVE-2026-4137 | MLflow: insecure tmp dir perms enable model artifact RCE | mlflow | 7.0 |
| CRITICAL | CVE-2026-45758 | guardrails-ai: malicious 0.10.1 enables host compromise | guardrails-ai | 9.6 |
| HIGH | CVE-2026-45804 | diffusers: TOCTOU race bypasses trust_remote_code, RCE | diffusers | 7.5 |
| HIGH | CVE-2026-46517 | LMDeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-8596 | SageMaker SDK: cleartext HMAC key enables model artifact RCE | sagemaker | 7.2 |
| HIGH | CVE-2026-46432 | lmdeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |