CVE 9.8 CRITICAL

CVE-2026-31217_CVE-2026-31217

May 13, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design does not validate or sanitize the file's content, allowing an attacker who controls the input directory to execute arbitrary Python code in the context of the process running the script.

AI Analysis

Arbitrary code execution vulnerability in the _load_model() function of the optimate project

Basic Information

ID CVE-2026-31217

Source mitre

Published May 12, 2026 at 00:00

Modified May 13, 2026 at 14:01

Affected Product

Vendor nebuly-ai

Product optimate

Version n/a

Affected Versions n/a n/a n/a

CWE Classification

CWE-94

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor nebuly-ai

Product optimate

Version n/a

References

{
    "lastseen": "",
    "description": "The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design does not validate or sanitize the file's content, allowing an attacker who controls the input directory to execute arbitrary Python code in the context of the process running the script.",
    "published": "2026-05-12T00:00:00.000Z",
    "modified": "2026-05-13T14:01:54.734Z",
    "type": "cve",
    "title": "CVE-2026-31217",
    "source": "mitre",
    "references": "https://github.com/nebuly-ai/optimate\nhttps://www.notion.so/CVE-2026-31217-35d1e13931888179ae40dea5258d2db9",
    "id": "CVE-2026-31217",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "optimate",
    "version": "n/a",
    "vendor": "nebuly-ai",
    "ai_description": "Arbitrary code execution vulnerability in the _load_model() function of the optimate project",
    "ai_severity": "Critical",
    "ai_vendor": "nebuly-ai",
    "ai_product": "optimate",
    "ai_version": "n/a",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply