CVE 8.8 HIGH

CVE-2026-31224_CVE-2026-31224

May 13, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

AI Analysis

Insecure deserialization vulnerability in the MultitaskClassifier.load() method, allowing arbitrary code execution via malicious model files

Basic Information

ID CVE-2026-31224

Source mitre

Published May 12, 2026 at 00:00

Modified May 13, 2026 at 14:05

Affected Product

Vendor snorkel-team

Product snorkel

Version v0.10.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor snorkel-team

Product snorkel

Version v0.10.0

References

{
    "lastseen": "",
    "description": "The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.",
    "published": "2026-05-12T00:00:00.000Z",
    "modified": "2026-05-13T14:05:56.939Z",
    "type": "cve",
    "title": "CVE-2026-31224",
    "source": "mitre",
    "references": "https://github.com/snorkel-team/snorkel\nhttps://www.notion.so/CVE-2026-31224-35d1e1393188814185f3f6db86c9a4e9",
    "id": "CVE-2026-31224",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "snorkel",
    "version": "v0.10.0",
    "vendor": "snorkel-team",
    "ai_description": "Insecure deserialization vulnerability in the MultitaskClassifier.load() method, allowing arbitrary code execution via malicious model files",
    "ai_severity": "High",
    "ai_vendor": "snorkel-team",
    "ai_product": "snorkel",
    "ai_version": "v0.10.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply