CVE 9.8 CRITICAL

CVE-2026-31237_CVE-2026-31237

May 14, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of arbitrary Python objects via the unsafe pickle module. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the system running the Ludwig prediction.

AI Analysis

Insecure deserialization vulnerability in Ludwig framework through predict() method

Basic Information

ID CVE-2026-31237

Source mitre

Published May 12, 2026 at 00:00

Modified May 14, 2026 at 19:54

Affected Product

Vendor Uber

Product Ludwig

Version 0.10.4

Affected Versions n/a n/a n/a

CWE Classification

CWE-502

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Uber

Product Ludwig

Version 0.10.4

References

{
    "lastseen": "",
    "description": "The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of arbitrary Python objects via the unsafe pickle module. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the system running the Ludwig prediction.",
    "published": "2026-05-12T00:00:00.000Z",
    "modified": "2026-05-14T19:54:23.672Z",
    "type": "cve",
    "title": "CVE-2026-31237",
    "source": "mitre",
    "references": "https://github.com/ludwig-ai/ludwig\nhttps://www.notion.so/CVE-2026-31237-35d1e139318881fb95a2ee7c5d0e17d8",
    "id": "CVE-2026-31237",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Ludwig",
    "version": "0.10.4",
    "vendor": "Uber",
    "ai_description": "Insecure deserialization vulnerability in Ludwig framework through predict() method",
    "ai_severity": "Critical",
    "ai_vendor": "Uber",
    "ai_product": "Ludwig",
    "ai_version": "0.10.4",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply